Vendor : SAP
Application : SAP Inernet Grahic Server (IGS)
Affected versions : SAP IGS 7.20, 7.20_EXT, 7.45, 7.49, 7.53
Bug : Multiple vulnerabilities
CVSS : 8.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
CVE : CVE-2018-2395, CVE-2018-2394, CVE-2018-2396, CVE-2018-2391, CVE-2018-2390, CVE-2018-2386, CVE-2018-2385, CVE-2018-2384, CVE-2018-2393, CVE-2018-2392, CVE-2018-2388, CVE-2018-2383, CVE-2018-2389, CVE-2018-2382, CVE-2018-2387
Reported : 17 08 2017
Vendor response : 20 08 2017
Public Advisory : 13 02 2018
Reference : SAP Security Note 2525222
Author : Yvan GENUER (Devoteam)

[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Description[/x_custom_headline]

Several vulnerabilities were discovered in SAP IGS component. Under certain conditions a malicious user may retrieve information on SAP system, overwrite existing images, corrupt other type of files, perform a denial of service, inject log files, perform XSS attack…

[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Business risk[/x_custom_headline]

An attacker can exploit these vulnerabilities to compromise the SAP System, remotely terminate a process and perform unexpected behavior from this vulnerable component.

[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Solution[/x_custom_headline]

The security vulnerabilities are addressed in the fixes described in the “Support Packages & Patches” section of the SAP security note 2525222. Please download and apply the corresponding SAP Internet Graphics Server (IGS) patch level corresponding to your SAP IGS version.

Yvan Genuer