SAP Security Notes: May 2023 Patch Summary

In May 2023, SAP released critical security updates addressing vulnerabilities across several platforms, most notably SAP BusinessObjects (BOBJ) and the SAP 3D Visual Enterprise License Manager. These updates include patches for information disclosure, code injection, broken authentication, and session hijacking risks that require immediate attention from security administrators. Executive Summary The May 2023 SAP security […]

SAP Security Notes: April 2023 Summary

In April 2023, SAP released several critical security notes addressing vulnerabilities in its software. Key patches included Note 3305369 for the SAP Diagnostics Agent, Note 3294595 for SAP NetWeaver AS ABAP, Note 3298961 for SAP BOBJ, and Note 3305907 for the BI Content Add-on for AS ABAP. The April 2023 SAP security update focused on […]

SAP Security Notes: March 2023 Vulnerability Summary

What are the critical SAP security vulnerabilities addressed in March 2023? In March 2023, SAP released patches for several high-risk vulnerabilities, including a critical SQL injection in NetWeaver AS Java, authentication bypasses in the LockingService, and code execution risks in SAP BusinessObjects Business Intelligence (BOBJ). These updates are essential for maintaining system integrity and preventing […]

SAP Security Notes: Critical Vulnerabilities and Updates for February 2023

The February 2023 SAP Security Notes address critical vulnerabilities across NetWeaver Application Server Java, the SAP Host Agent, and SAP BusinessObjects. Key patches include fixes for JNDI interface exposure, privilege escalation via webservice requests, and unrestricted file upload vulnerabilities, alongside necessary corrections for side effects introduced by earlier security patches. Executive Summary The February 2023 […]

SAP Security Notes: January 2023 Vulnerability Summary

The January 2023 SAP Security patch cycle addressed several critical and high-risk vulnerabilities, including a capture-replay issue in SAP NetWeaver AS ABAP and a broken authentication flaw in SAP NetWeaver AS Java. Organizations are advised to apply these security notes immediately to prevent unauthorized data access and potential service disruption. Executive Summary The January 2023 […]

SAP Security Notes, December 2022

Hot news notes 3267780 and 3273480 patch critical broken authentication vulnerabilities in SAP NetWeaver Application Server Java (AS Java). Threat actors can exploit the vulnerabilities to attach to an open interface exposed through JNDI by the Messaging System and User Defined Search (UDS) of SAP NetWeaver AS Java. Once attached, they can make use of […]

SAP Security Notes, November 2022

Hot news note 3243924 for CVE-2022-41203 patches a critical vulnerability related to insecure deserialization of untrusted data in the Central Management Console (CMC) and BI Launchpad of SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability impacts versions 4.2 and 4.3 of BOBJ and can be exploited by threat actors to bypass authentication, inject malicious code, […]

SAP Security Notes, October 2022

Hot news note 3239152 patches a critical URL redirection vulnerability in SAP Commerce Cloud. The vulnerability can be exploited to manipulate URLs and redirect users to logon pages controlled by threat actors. User submissions served by attacker-controlled servers can be used to steal logon credentials and hijack accounts. Note 3239152 includes a fix for specific […]

SAP Security Notes, September 2022

Note 3237075 patches a high priority vulnerability in SAP GRC Access Control that could be exploited by attackers to access Firefighter sessions even after they are closed in the Firefighter Logon Pad. Firefighter IDs are dedicated user identities with elevated privileges that are activated when required and controlled through Emergency Access Management (EAM) in SAP […]

SAP Security Notes, August 2022

Note 3102769 was rereleased in August with updated solution information. The workaround detailed in the original note has been moved to the new note 3221696. The workaround provides steps for deactivating the SAP IKS component to address a high priority cross-site scripting (XSS) vulnerability in SAP Knowledge Warehouse. Note 3150454 was also updated to enforce […]