SAP Security Patch for July 2017:
The recently published patch release caters to certain vulnerabilities that may require some manual steps to fix e.g.
• Code injection vulnerability (CVSS Base Score: 6.5) in SAP Governance, Risk and Compliance Access Controls (#GRC)
• Cross-site scripting and Cross-site request forgery (CVSS Base Score: 6.1) in SAP #CRM Internet Sales Administration Console
• And a deadly one for Retail customers: Missing authorization checks in SAP Point of Sale (#POS) Retail Xpress Server (CVSS score of 8.1). The bug could be exploited to read, write, or delete files stored on SAP POS server; shutdown the Xpress Server application; and monitor all content displayed on a receipt window of a POS.
• Missing authorization check vulnerability in SAP Host Agent (CVSS Base Score: 7.5) affecting all NetWeaver-based applications and HANA 1 and HANA 2, which could allow access to a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
…Whilst the July SAP patch release resolves this risks, wouldn’t you rather consider an Independent SAP CyberSecurty Audit today to know how you may fare against a SAP directed cyber-attack?
Information on Patch release: https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/