SAP Security Notes

Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems

SAP Security Notes, August 2023

Hot news note 3341460 patches multiple critical vulnerabilities in the data modelling and management solution SAP PowerDesigner. This includes an access control vulnerability for CVE-2023-37483 that has a CVSS score of 9.8/10. The vulnerability can be exploited by attackers to execute arbitrary queries against back-end databases via proxies. It also includes an information disclosure vulnerability …
Read this Advisory SAP Security Notes, August 2023

SAP Security Notes, July 2023

Hot news note 3350297 for a critical OS command injection vulnerability in SAP ECC and S/4HANA was re-released with instructions for confirming the prerequisites for the note. The IS-OIL component must be enabled in order for the note to be applicable. The note includes instructions for checking whether the component and supporting switches are enabled …
Read this Advisory SAP Security Notes, July 2023

SAP Security Notes, June 2023

Notes 3324285 and 3326210 patch high priority vulnerabilities in SAP UI5. The former applies input validation to block the storage and reading of malicious scripts that could lead to cross-site scripting. The latter introduces additional restrictions to prevent the injection of untrusted CSS that can be exploited to perform clickjacking exploits. Note 3326210 includes a …
Read this Advisory SAP Security Notes, June 2023

SAP Security Notes, May 2023

Hot news note 3307833 patches a critical information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) platform. The vulnerability can be exploited by authenticated threat actors with administrator privileges to compromise the login token of any logged-in BI user or server over the network. The login ticket can be used to access the platform with …
Read this Advisory SAP Security Notes, May 2023

SAP Security Notes, April 2023

Hot news note 3305369 patches missing authentication check and code injection vulnerabilities in the SAP Diagnostics Agent. The note removes the EventLogServiceCollector and OSCommand Bridge components from the Agent to address the vulnerability. The patch does not effect metric data collection for data collectors that use the Agent. However, it will disable metric testing. Hot …
Read this Advisory SAP Security Notes, April 2023

SAP Security Notes, November 2022

Hot news note 3243924 for CVE-2022-41203 patches a critical vulnerability related to insecure deserialization of untrusted data in the Central Management Console (CMC) and BI Launchpad of SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability impacts versions 4.2 and 4.3 of BOBJ and can be exploited by threat actors to bypass authentication, inject malicious code, …
Read this Advisory SAP Security Notes, November 2022

SAP Security Notes, August 2022

Note 3102769 was rereleased in August with updated solution information. The workaround detailed in the original note has been moved to the new note 3221696. The workaround provides steps for deactivating the SAP IKS component to address a high priority cross-site scripting (XSS) vulnerability in SAP Knowledge Warehouse. Note 3150454 was also updated to enforce …
Read this Advisory SAP Security Notes, August 2022

SAP Security Notes, July 2022

There were several high priority security notes released in July for multiple vulnerabilities in SAP Business One. Note 3212997 patches an information disclosure issue that arises during the integration between Business One and SAP HANA. The vulnerability can be exploited to access privileged account credentials through the HANA cockpit’s data volume. Customers can switch from …
Read this Advisory SAP Security Notes, July 2022

SAP Security Notes, June 2022

Note 3158375 patches a high priority vulnerability in the SAProuter that can be exploited by attackers to execute administration commands from remote clients. The SAProuter is designed to accept administration commands from local clients only. However, this restriction can be bypassed in installations with specific entries in the saprouttab, the root permission table for the …
Read this Advisory SAP Security Notes, June 2022

SAP Security Notes, May 2022

Hot news note 3165801 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP. The notes introduces an authorization check for object S_OC_SEND to prevent the transmission of the contents of ABAP list output from the System Menu via e-mail. The note impacts all versions of SAP_BASIS from 700 to 788. Notes 2756188 …
Read this Advisory SAP Security Notes, May 2022

SAP Security Notes, April 2022

The central note 3170990 consolidates security notes for the critical Spring4Shell vulnerability. Spring4Shell is addressed by CVE-2022-22965. This is related to a remote code execution vulnerability in the open-source Java Spring Framework. Successful exploitation requires Apache Tomcat for serving applications built as a WAR file. Notes 3189428, 3187290, 3189429, 3189635 and 3171258 patch Sping4Shell in …
Read this Advisory SAP Security Notes, April 2022

SAP Security Notes, March 2022

Note 3123396 patches SAP NetWeaver Application Server ABAP and the Web Dispatcher for CVE-2022-22536. This is related to the ICMAD (Internet Communication Manager Advanced Desync) vulnerability that was the subject of alerts from multiple threat intelligence agencies including CISA and CERT-EU. ICMAD is a memory corruption vulnerability that can be exploited through a single HTTP …
Read this Advisory SAP Security Notes, March 2022

SAP Security Notes, January 2022

Multiple Hot News notes were released in January as part of SAP’s continued efforts to patch solutions impacted by the critical Log4Shell vulnerability. This includes Process Orchestration (note 3130521), Data Intelligence (3130920) and Business One (3131740). The central note 3131047 consolidates patches for the remote code execution vulnerability in the vulnerable Apache Log4j 2 component. …
Read this Advisory SAP Security Notes, January 2022

SAP Security Notes, December 2021

The central security note 3131047 consolidates Log4Shell patches for SAP products. Log4JShell is regarded as one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications. Log4Shell impacts Log4J, a widely installed …
Read this Advisory SAP Security Notes, December 2021

We are proud to work with some of the World’s most renowned brands.