"SAP Patches Critical NetWeaver and ABAP Platform Vulnerabilities"

SAP, a business software and solutions provider, recently released several new security notes on its June 2022 security patch day.  In particular, the document outlined ten new notes and two updated ones.  One vulnerability mentioned in SAP's June notes is (CVE)-2022-27668.  The company stated that the flaw is an improper access control related to the SAProuter proxy in NetWeaver and ABAP Platform and has a CVSS score of 8.6.  According to SAP, depending on the configuration of the route permission table in a specific file, an unauthenticated attacker can execute SAProuter administration commands in SAP NetWeaver and ABAP Platform from a remote client.  Another vulnerability noted in SAP's June notes includes a vulnerability with a 7.8 CVSS score, which refers to potential privilege escalation in SAP PowerDesigner Proxy 16.7.  This vulnerability allows an attacker with low privileges and has local access with the ability to work around system's root disk access restrictions to write/create a program file on system disk root path.  The company noted that the program file can then be executed with elevated privileges during application startup or reboot, potentially compromising confidentiality, integrity, and availability of the system.  The other vulnerabilities mentioned in the June note are medium or low priority.  The company stated that most of the vulnerabilities mentioned in its June 2022 security patch day advisory have now available fixes and advised companies to update their systems as soon as possible.

Infosecurity reports: "SAP Patches Critical NetWeaver and ABAP Platform Vulnerabilities"