SAP released 19 patches on Tuesday, fixing a trio of vulnerabilities marked high severity in its business management software.
The most pressing fixes are for a directory traversal vulnerability in the company’s Netweaver AS Java Web Container, a code injection vulnerability in its Visual Composer design tool, and a cross-site AJAX request vulnerability in its BusinessObjects suite of applications.
The Netweaver vulnerability is concerning as it could let an attacker obtain critical technical or business related information from a SAP system. An attacker could use the vulnerability to access arbitrary files and directories on an affected SAP server filesystem.
The SAP Visual Composer vulnerability is equally troubling as it could afford an attacker access to sensitive information. In some instances the bug could let an attacker inject and run their own code, modify data, create new users, control the behavior of the system, escalate privileges, or carry out a DoS attack.
Researchers with Onapsis, who found the Visual Composer vulnerability, warn that multiple versions of the tool, a web app which runs inside the browser, are vulnerable.
“A large number of Visual Composer versions, starting from 7.00, are affected. Therefore, due to the affected version scope, even when this component might not be actively used in your organization, it has an increased probability of being part of an attack,” Sebastian Bortnik, the firm’s head of research, wrote Tuesday. “Definitely consider patching the vulnerability before providing access to the Enterprise Portal to organizations outside of your own, since the consequences might go beyond having to write an internal email to your employees.”
The last “high” severity bug, a vulnerability in SAP BusinessObjects, could let an attacker exploit a user’s session as long as they could convince them to follow a request to a certain URL and specific parameters.
The bulk of the remaining patches were marked medium and addressed a cocktail of cross-site scripting, SQL injection, and server side request forgery bugs.