Académique Documents
Professionnel Documents
Culture Documents
CONFIDENTIAL
Agenda
Introductions
Purpose of Webcast
CVSS Explained
Security Note Release Review
Conclusion
CONFIDENTIAL
Introductions
Onapsis
Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).
Alex Horan
Product Manager
Security Presenter
CONFIDENTIAL
Purpose of Webcast
CONFIDENTIAL
CVSS
http://www.first.org/cvss
Common Vulnerability Scoring System (CVSS) is a
vulnerability scoring system designed to provide an
open and standardized method for rating IT
vulnerabilities. CVSS helps organizations prioritize
and coordinate a joint response to security
vulnerabilities by communicating the base, temporal
and environmental properties of a vulnerability
CONFIDENTIAL
January
1922547
Title
CVSS
6.4 (AV:N/AC:L/AU:N/C:P/I:P/A:N)
Details
The NW Portal new iview wizard component does not contain authentication checks for checking user's access to some of its functions.
CONFIDENTIAL
February
33 Security Notes Released (67 YTD)
Ten notes addressed hardcoded credentials
o 1914777, 1915873, 1920323, 1738965, 1795463, 1768049, 1911174, 1791081, 1789569
1963100
Title
CVSS
9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
Details
The CTC application contains vulnerability where any operating system command can be executed on an AS Java host using NWA
credentials through a URL invocation. Typically, this requires authentication using NWA credentials. If you have not already implemented
SAP security note 1445998, then this can be done without authentication using NWA credentials.
CONFIDENTIAL
March
9 Security Notes Released (76 YTD)
First HANA vulnerabilities reported by third party
Highlight Note Details
Number
1965610
Title
CVSS
7.5 (AV:N/AC:M/AU:S/C:P/I:P/A:C)
Details
The program code contains a possibility to define and execute operating system commands that changes the behavior of the system. A
valid and authenticated user is required.
Depending on the command, the user can:
CONFIDENTIAL
April
23 Security Notes Released (99 YTD)
6 Notes with a CVSS score of 6.0
o Two allow for arbitrary ABAP code execution
1985100
Title
CVSS
6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
Details
The program code contains a possibility to define and execute user-defined code that changes the behavior of the system. A valid and
authenticated user is required. Depending on the code, the user can:
CONFIDENTIAL
May
17 Security Notes Released (116 YTD)
3 Notes released related to the Heartbleed vulnerability
2015882
Title
CVSS
Details
The excluded parameter pattern introduced in Apache Struts version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is
possible to omit that with specially crafted requests.
According to NVD: ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which
allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2014-0094.
CONFIDENTIAL
10
June
21 Security Notes Released (137 YTD)
8 Notes with CVSS of 5.0 or higher
2007530
Title
CVSS
7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
Details
BC-SRV-KPR-CS does not perform authentication checks when the shadow passwords are enabled. This may result in undesired system
behavior.
CONFIDENTIAL
11
July
14 Security Notes Released (151 YTD)
Vulnerability patched in Afaria server
2036562
Title
CVSS
8.8 (AV:N/AC:M/AU:N/C:N/I:C/A:C)
Details
The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered by
an attacker. The manipulated SQL statement can then be used to modify information in the database.
CONFIDENTIAL
12
August
37 Security Notes Released (188 YTD)
3 Notes over 8.0
2053074
Title
CVSS
8.8 (AV:N/AC:M/AU:N/C:N/I:C/A:C)
Details
The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered by
an attacker. The manipulated SQL statement can then be used to modify information in the database.
CONFIDENTIAL
13
September
29 Security Notes Released (217 YTD)
Note published for SAP ONE CLOUD solution
1979454
Title
CVSS
6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)
Details
Batch Input Recorder does not contain authorization checks for checking an authenticated users authorization to access some of its
functions. This may result in undesired system behavior.
CONFIDENTIAL
14
October
34 Security Notes Released (251 YTD)
Hot News item delivered
Highlight Note Details
Number
2043404
Title
CVSS
Details
Batch Input Recorder does not contain authorization checks for checking an authenticated users authorization to access some of its functions.
The program code contains a possibility to define and execute user-defined code that changes the behavior of the system. A valid and
authenticated user is not required. Depending on the code, the user can:
CONFIDENTIAL
15
Conclusion
CONFIDENTIAL
16
Questions?
Title goes here
Alex Horan: ahoran@onapsis.com
CONFIDENTIAL
17