SAP Security Notes January 2024: Critical Vulnerabilities and Patches
The SAP Security Notes for January 2024 addressed several critical vulnerabilities, including two “Hot News” privilege escalation flaws in SAP Business Application Studio and Edge Integration Cell. A high-priority Denial of Service vulnerability in SAP NetWeaver’s ICM and a code injection flaw in the Application Interface Framework were also patched. This summary covers the key […]
SAP Security Advisory: Critical Patches for December 2023
SAP’s December 2023 security update includes critical patches for an OS command injection vulnerability in SAP S/4HANA and ECC, and high-risk vulnerabilities in the SAP Business Technology Platform (BTP). Organizations should prioritize the review and application of these notes to mitigate significant security risks. This advisory summarizes the key vulnerabilities and the required actions for […]
SAP Security Notes November 2023: Critical Business One Flaw and NetWeaver Patches
The SAP Security Notes for November 2023 featured a critical “Hot News” patch for a missing authentication vulnerability in SAP Business One, which registered a 9.6 CVSS score. Other key updates addressed a Cross-Site Request Forgery (CSRF) vulnerability in SAP Sybase and two separate information disclosure issues in SAP NetWeaver ABAP and Java servers. This […]
SAP Security Notes, October 2023
Hot news note 3340576 patches a critical missing authorization check in the SAP Common Cryptographic Library (CommonCryptoLib) that could enable attackers to escalate privileges. CommonCryptoLib is installed in multiple SAP products including SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise, as well as SAP HANA Database, SAP Web Dispatcher, […]
SAP Security Notes, September 2023
Hot news notes 3245526 and 3320355 patch critical code injection and information disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform (BOBJ). Note 3245526 was re-released in September with updated support package and patch level details. The note patches a command injection vulnerability that can be exploited to escalate privileges in the platform. The vulnerability impacts the […]
SAP Security Notes, August 2023
Hot news note 3341460 patches multiple critical vulnerabilities in the data modelling and management solution SAP PowerDesigner. This includes an access control vulnerability for CVE-2023-37483 that has a CVSS score of 9.8/10. The vulnerability can be exploited by attackers to execute arbitrary queries against back-end databases via proxies. It also includes an information disclosure vulnerability […]
SAP Security Notes, July 2023
Hot news note 3350297 for a critical OS command injection vulnerability in SAP ECC and S/4HANA was re-released with instructions for confirming the prerequisites for the note. The IS-OIL component must be enabled in order for the note to be applicable. The note includes instructions for checking whether the component and supporting switches are enabled […]
SAP Security Notes, June 2023
Notes 3324285 and 3326210 patch high priority vulnerabilities in SAP UI5. The former applies input validation to block the storage and reading of malicious scripts that could lead to cross-site scripting. The latter introduces additional restrictions to prevent the injection of untrusted CSS that can be exploited to perform clickjacking exploits. Note 3326210 includes a […]
SAP Security Notes, May 2023
Hot news note 3307833 patches a critical information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) platform. The vulnerability can be exploited by authenticated threat actors with administrator privileges to compromise the login token of any logged-in BI user or server over the network. The login ticket can be used to access the platform with […]
SAP Security Notes, April 2023
Hot news note 3305369 patches missing authentication check and code injection vulnerabilities in the SAP Diagnostics Agent. The note removes the EventLogServiceCollector and OSCommand Bridge components from the Agent to address the vulnerability. The patch does not effect metric data collection for data collectors that use the Agent. However, it will disable metric testing. Hot […]