11 patches ship on Patch Tuesday
SAP German software- While you were sighing your way through Microsoft’s Patch Tuesday, enterprise vendor SAP slid 11 security advisories under your door.
Top of the list is a depressingly familiar howler in SAP Cloud Connector pre-version 2.11.3: the software neglects authentication checks for functions that require user identity (CVE-2019-0246). A related bug in Cloud Connector (the same versions), CVE-2019-0247, can be exploited to achieve remote code injection.
The German titan’s systems management environment, SAP Landscape Management, is also on the critical list thanks to a sketchily described information disclosure bug, CVE-2019-0249.
Two other products suffered authentication slip-ups. The company’s BW/4HANA data warehouse (CVE-2019-0243), and SAP Enterprise Financial Services (CVE-2018-2484), both have authentication blunders that can result in privilege escalation.
There are two denial-of-service bugs in the list: one in the company’s Work and Inventory Manager (CVE-2019-0241), the other via crafted malicious links in Business Objects for Android (CVE-2019-0240).