SAP’s 24-month rule dictates that corrective fixes for many vulnerabilities are only provided for support packages released within the last two years. This policy primarily affects security notes for issues discovered internally by SAP and means that systems running on older support packages will not receive these specific patches, requiring a full upgrade instead.
Regular patching is essential for securing SAP landscapes from vulnerabilities discovered by SAP’s internal teams and external security researchers. SAP releases these fixes in security notes, which are rated for severity using systems like the Common Vulnerability Scoring System (CVSS). However, not all patches are delivered in the same way. The 24-month rule, which took effect on June 11, 2019, specifically applies to “support package notes”—those addressing low, medium, and high severity vulnerabilities found by SAP. If a system’s support package is older than 24 months, it is outside the maintenance window for these fixes. The only way to address the vulnerabilities is to perform a support package upgrade to a more recent version. This rule has exceptions for certain products like SAP HANA and SAP Kernel, which follow their own maintenance strategies.
Key Takeaways
- The Rule’s Scope: The 24-month rule applies to SAP’s “support package notes,” which fix low-to-high severity issues found internally.
- Maintenance Window: Fixes are only created for support packages (SPs) that were shipped within the last 24 months.
- Impact of Non-Compliance: Systems on SPs older than 24 months must be upgraded to a newer SP to receive these security fixes.
- Key Exceptions: The rule does not apply to all SAP products; SAP HANA, BW/4HANA, and SAP Kernel have product-specific maintenance strategies.
- Unaffected Notes: “Patch day notes,” which address externally reported vulnerabilities and critical internal findings, are not subject to this rule.
How Does SAP Classify Security Vulnerabilities?
SAP classifies security vulnerabilities using an internal severity rating (Hot News, High, Medium, Low) and the industry-standard Common Vulnerability Scoring System (CVSS). Hot News notes address the most severe vulnerabilities. CVSS provides a standardized score from 0-10, with scores of 9.0-10.0 considered critical. SAP, acting as a CVE Numbering Authority (CNA) since late 2017, assigns most security notes a unique CVE (Common Vulnerabilities and Exposures) identifier, making the vulnerability information publicly available.
What Are the Different Types of SAP Security Notes?
SAP delivers security corrections through two main types of notes: patch day notes and support package notes. The 24-month rule’s impact differs significantly between them.
| Feature | Patch Day Notes | Support Package Notes |
|---|---|---|
| Vulnerability Source | External researchers (all severities) & internal SAP (Hot News, CVSS 9.0+) | Internal SAP discovery |
| Vulnerability Severity | All severities from external; only highest from internal | High, medium, and low |
| Implementation Method | Direct implementation | Via Support Package (SP) fixes or upgrades |
| Affected by 24-Month Rule | No | Yes |
What is the Impact of the 24-Month Rule?
The primary impact of the 24-month rule is that software components on support package levels older than 24 months are not provided with SP fixes for low, medium, and high severity vulnerabilities discovered internally by SAP. To close these security gaps, organizations cannot apply a simple patch; they must perform a full SP upgrade to a support package level that falls within the 24-month maintenance window. This requires more significant planning, testing, and resources than applying a single note.
Are There Exceptions to the 24-Month Rule?
Yes, there are exceptions. The 24-month rule is part of the general SAP maintenance strategy, but some products follow their own specific strategies. These include major products such as SAP HANA, BW/4HANA, and the SAP Kernel. The maintenance strategy for these products is documented in specific SAP notes, such as note 2378962 for SAP HANA 2.0, which details which Support Package Stacks (SPS) are out of maintenance.
How Can You Manage Compliance with the 24-Month Rule?
Managing compliance requires tracking the lifecycle of support packages across the SAP landscape. The Cybersecurity Extension for SAP is a tool that automatically discovers software components with SP levels that fall outside the 24-month rule. It helps customers monitor support package lifecycles to ensure their components remain within SAP’s maintenance window, enabling them to apply all available security fixes. The tool also monitors systems like SAP HANA and SAP Kernel to identify outdated versions that are out of maintenance.
Frequently Asked Questions (FAQ)
What happens if my SAP system is on a support package older than 24 months?
If your system’s support package is older than 24 months, you will not receive SP fixes for low, medium, and high severity vulnerabilities discovered internally by SAP. You must perform an SP upgrade to a supported package level to address these vulnerabilities.
Does the 24-month rule apply to all SAP security notes?
No. The rule applies specifically to “support package notes.” It does not apply to “patch day notes,” which cover vulnerabilities reported by external researchers and the most critical “Hot News” vulnerabilities found by SAP.
How did the 24-month rule change SAP’s maintenance strategy?
The rule, which took effect on June 11, 2019, extended the coverage period for support packages from the previous 18 months to 24 months. This gives customers a larger window to stay compliant before an upgrade is required.
