Flaws fixed in SAP’s police and military software

Newly passed out 2Lts from 6 RIFLES on Salisbury Plain Training Area. Crown copyright, 2013

Three of the 31 patches pushed out by SAP on Tuesday tackle flaws in the ERP giant’s technology for Defense Forces & Public Security.

In particular, SAP’s Defense Forces & Public Security and SAP Mobile Defense & Security components are susceptible to a missing authorisation check vulnerability. “This issue potentially allows an attacker to read, modify or delete restricted data and is not usually considered critical, “ Alexander Polyakov, CTO and co-founder at ERPScan told El Reg. “However, the effect of even such low-impact vulnerability could be devastating when it comes to armed forces.”

SAP for Defense Forces & Public Security is designed for armed forces, police, and aid organisations and offers ERP technology optimised to their particular needs. The software offers functions such as mapping organisational structures and material and personnel resource planning, accounting and funds management, materials management and more.

Other significant patches in SAP’s December batch include a fix for a directory traversal in flaw SAP UserAdmin Application and a patch for a potential remote code execution bug in SAP BI Platform.

Now that the December patch batch is out, yearly totals can be compiled. SAP released 315 throughout 2016, slightly less than in 2015. Cross-site scripting (XSS) remains the most common vulnerability type, ERPScan reports. El Reg has invited SAP to comment on ERPScan’s take on its December patch batch and we’ll update this story as and when we hear more.

[Source:-The Register]