SAP today released its September 2018 set of patches to address a total of 14 vulnerabilities in its products, including a critical bug in SAP Business Client.

Featuring a CVSS score of 9.8 and rated Hot News, the vulnerability impacts the browser control Chromium delivered with SAP Business Client. The issue was initially addressed on April 2018 Patch Day, but SAP decided to update the Security Note today.

Of the remaining 13 Security Notes included in this month’s Security Patch Day, three were rated High severity, 9 Medium risk, and 1 Low severity. 

Impacted SAP products include Business One, BEx Web Java Runtime Export Web Service, HANA, WebDynpro, NetWeaver AS Java, Hybris Commerce, Plant Connectivity, Adaptive Server Enterprise, HCM Fiori "People Profile" (GBX01HR), Mobile Platform, Enterprise Financial Services, and Business One Android application. 

SAP also released 8 Support Package Notes this month, for a total of 22 Security Notes, ERPScan, a company that specializes in securing Oracle and SAP products, reveals. 4 of the notes were released over the course of the last month. 

Missing Authorization Check was the most encountered type of vulnerability, followed by information disclosure, Cross-Site Scripting, and XML External Entity issues. SAP also addressed implementation flaws, denial of service, SQL injection, buffer overflow, and server side request forgery vulnerabilities. 

The most important bugs closed in September (all featuring a CVSS Base Score of 8.8) include a Missing Authorization check vulnerability in SAP ECC Sales Support, an Information Disclosure vulnerability in Business One and HANA Installer, and a Missing XML Validation (XXE) vulnerability in BEx Web Java Runtime Export Web Service.

Another important bug was a denial of service vulnerability in SAP HANA, Extended Application Services Classic Model. Tracked as CVE-2018-2465, the flaw has a CVSS score of 7.5 and is considered High risk.

Discovered by Onapsis researchers, the flaw can be exploited by a remote, unauthenticated attacker through a large crafted request to a default API or to ODATA services present in a HANA XS system abusing the XML parsing, the company says.

“Even though a Denial Of Service attack is the easiest way to exploit this vulnerability, a more complex attack could lead to a potential remote code execution (RCE), that could lead to even worse scenarios for the affected users,” Sebastian Bortnik, Director Of Research for Onapsis, told SecurityWeek in an emailed comment.

A Cross-Site Scripting issue in NetWeaver AS Java Logon Application (versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50) can lead to defacements, user credentials compromises, or user impersonation, Onapsis, which also focuses on securing Oracle and SAP applications, explains. 

Related: SAP Releases August 2018 Security Updates

Related: SAP Releases Critical Updates for Two Security Notes