SAP has closed 48 vulnerabilities in its critical patch update for October 2016, almost twice the monthly average.
Most of the vulnerabilities closed in the latest patch, according to security researcher ERPScan, are implementation flaws which implement a switchable authorisation check. The patches implement new switchable authorisation checks.
An ERPScan advisory said that these patches, by default, are inactive to ensure compatibility with processes, so it is important to enable the authority check using Switchable Authorisation Checks Framework.
One of the patches was for a missing authentication check vulnerability affecting SAP NetWeaver AS Java P4 that was originally identified and patched back in 2012. However, there was an existing issue that enabled a remote control of SAP’s Java platform. This has now been patched in the latest update.
According to ERPScan figures, around 256 systems are still exposed with this vulnerability. SAP customers are advised to apply the security update as soon as possible.