SAP released monthly critical patch update for june 2011. This patch updates close about 40 vulnerabilities in SAP products. 10 of those vulnerabilities were founded by different experts. Traditionnaly DSecRG researcher Dmitriy Chastuhin who found 2 vulnerabilities is among them.
SAP traditionally send acknowledgements for founded vulnerabilities to security researchers from DSecRG on their acknowledgement page.
Both vulnerabilities have medium security level (5.0 and 4.3 by CVSS). Vulnerabilities are found in SAP NetWeaver J2EE Engine and can give attacker access to user's session.
It is highly recommended to patch all those issues to prevent business risks.
Solutions for those issues are available in SAP Notes: 1545883, 1562292.
Advisories for those issues with technical details will be available in 3 months on erpscan.com and also on DSecRG.com site.
We also published details about vulnerabilities that were closed 3 month ago in march 2011