Home-baked encryption followed the wrong recipe
Yet another proprietary implementation of a popular protocol has turned up unexpected vulnerabilities, with SAP's data compression software open to remote code execution and denial-of-service exploits. The implementation in question is SAP's code running the popular LZC and LZH compression algorithms. As outlined over at Full Disclosure, CVE-2015-2282 and CVE-2015-2278 is a pair of out-of-bounds reads and writes. As well as a nice bag of SAP products – various Netweaver servers, SDKs, the GUI,...