SAP hurries out a security patch for its TREX search engine
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
April 13, 2017
We just learned that SAP has urgently made available a security patch for its TREX search engine, after security researchers discovered a few flaws in a 2015 patch that was previously issued.
So yes: it's a security patch for another existing patch. TREX is a search engine used in many SAP applications, including its HANA database and its venerable NetWeaver application.
And it's also used in its integration platform, so it's critical that system admins everywhere get this done right.
According to ERPS-Can, SAP thought it had patched the code injection vulnerability in December 2015 when in fact it wasn't done correctly...
In fact, ERPS-Can’s Mathieu Geli looked into the TREX Net communication protocol and found it ran without authentication, so that's a blunder.
He’s also quoted in the ERPS-Can advisory notice as saying “I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the security exploit has been easily adapted. SAP did repair some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX.”
He also asserted that bulletin CVE-2017-7691 lets an attacker send a crafted request to TREX Net ports to read or create operating system files, in addition to the above.
The security flaw was one of 15 patched this week on April 11, in SAP’s monthly security patch release.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.