SAP Security Notes

Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems

SAP Security Notes, September 2021

Hot news note 3078609 patches a missing authorization check in the JMS Connector Service of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary code in the system remotely and without authentication. Hence, the note carries the maximum CVSS score of 10/10. A fix is included in the note but …
Read this Advisory

SAP Security Notes, August 2021

Hot news note 3072955 patches a Server Side Request Forgery (SSRF) vulnerability in the Component Build Service of SAP NetWeaver Development Infrastructure (NWDI). The Component Build Service includes a vulnerable servlet that could be targeted to perform proxy attacks. The vulnerability has a CVSS score of 9.9/10 for NWDI installations exposed to the internet. The …
Read this Advisory

SAP Security Notes, July 2021

Hot News Note 3007182 contains updated corrections for a broken authentication vulnerability in the SAP NetWeaver AS ABAP and ABAP Platform. The corrections improve the ability to distinguish between internal and external RFC and HTTP connections. This protects against external threat actors using credentials for internal communications.  Note 3007182 includes kernel patches for multiple kernel …
Read this Advisory

SAP Security Notes, June 2021

Hot News note 3040210 patches a critical remote code execution vulnerability in Source Rules of SAP Commerce. The vulnerability affects both on-premise installations of SAP Commerce and SAP Commerce Cloud in the Public Cloud. SAP Commerce Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to …
Read this Advisory

SAP Security Notes, May 2021

Note 3046610 patches a high priority code injection vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Program RDDPUTJR may be executed by attackers to inject malicious code.  The note replaces the code of the report with an exit statement. The program can be deleted by the support packages included in the note.  Access to …
Read this Advisory

SAP Security Notes, April 2021

Hot news note 2999854 was updated in April for a critical code injection vulnerability in SAP Business Warehouse and SAP BW/4HANA. BW and BW/4HANA allow a low privileged attacker to inject malicious code using a remote enabled function module over the network. Due to a lack of input validation, users granted RFC access to execute …
Read this Advisory

SAP Security Notes, March 2021

Hot news note 3022622 patches a critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (MII). SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). Attackers can target this feature to inject malicious JSP code that include OS commands. The code and commands are …
Read this Advisory

SAP Security Notes, February 2021

Hot News note 3014121 patches a critical remote code execution vulnerability in SAP Commerce. The Backoffice application in SAP Commerce enables certain users with required privileges to edit drools rules. An authenticated attacker with this privilege is able to inject malicious code in the drools rules, enabling the attacker to compromise the SAP host. This …
Read this Advisory

SAP Security Notes, January 2021

Hot News note 2983367 corrects a code injection vulnerability in Master Data Management in SAP Business Warehouse and SAP BW4HANA. The vulnerability could be exploited to execute privileged OS commands. The correction introduces a hard coded report name which can only be executed by a legitimate user in release 7.30. The note removes the impacted …
Read this Advisory

SAP Security Notes, December 2020

Hot News note 2983367 patches a severe OS command injection vulnerability in SAP Business Warehouse Master Data Management (MDM) and BW4HANA. For release 7.30, the note binds the execution of the affected function module to a hard coded report and legitimate users. For release 7.40 and higher, the note removes the vulnerable function altogether. Note …
Read this Advisory

SAP Security Notes, November 2020

Hot News note 2973735 patches a code injection vulnerability in SAP AS ABAP and S/4 HANA. The note introduces an authorization check for object S_DMIS to control the execution of a vulnerable function module by RFC. The function module is used for checking the syntax for a table selection query.  Attackers can abuse the function …
Read this Advisory

SAP Security Notes, October 2020

Hot news note 2969828 patches a OS command injection vulnerability in CA Introscope Enterprise Manager (EM) installed in SAP Solution Manager and SAP Focused Run. EM can be used to monitor the performance of Java applications. The note includes a patch for EM 10.7 and 10.5 SP2 patch 2 to remove the vulnerability. Earlier versions …
Read this Advisory

SAP Security Notes, September 2020

Hot News note 2958563 patches a critical code injection vulnerability in SAP Business Warehouse. The vulnerability targets specific function modules to assume complete control of BW including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It impacts BW releases up to 7.40 running on …
Read this Advisory

SAP Security Notes, August 2020

Hot News note 2928635 patches a critical code execution vulnerability in SAP Knowledge Management (KM). KM supports the automatic execution of potentially malicious scripts in stored files without authentication. The note recommends disabling the option for Force Text Download to remove the vulnerability. Force Text Download is a parameter of the WebDAV Protocol. WebDAV includes …
Read this Advisory

SAP Security Notes, July 2020

Hot News Note 2934135 patches the critical RECON vulnerability in NetWeaver Application Server Java (AS Java). RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected …
Read this Advisory

SAP Security Notes, June 2020

Hot News note 2928570 patches a critical remote code execution vulnerability in SAP Liquidity Management for Banking. The vulnerability impacts connections using the Apache JServ Protocol (AJP) in Apache Tomcat. AJP connections should be blocked if not required by disabling the AJP Connector. The connections can be exploited to read and process arbitrary files in …
Read this Advisory

SAP Security Notes, May 2020

Hot News Note 2835979 patches a critical code injection vulnerability in Service Data Download. The vulnerability can be exploited by attackers to inject malicious code into the ST-PI plugin for NetWeaver Application Server ABAP (AS ABAP). This could lead to the complete compromise of ABAP servers.  The vulnerability carries a base CVSS score of 9.9/10 …
Read this Advisory

SAP Security Notes, April 2020

Hot news note 2863731 provides updated correction instructions for a critical deserialization vulnerability in the enterprise Business Objects platform. The Crystal Reports .Net SDK WebForm Viewer in Business Objects could enable attackers with basic authorization to execute deserialization attacks. This could be exploited to perform malicious code execution. Note 2904480 patches a significant input validation …
Read this Advisory

SAP Security Notes, March 2020

Hot News note 2845377 patches a missing authentication check in the Diagnostics Agent. The Agent is a component of the Solution Manager landscape. It commonly connects to the Java server in Solution Manager through the J2EE Message Server HTTP port. This is recommended by SAP. However, it can also connect to Solution Manager using a …
Read this Advisory

SAP Security Notes, February 2020

Note 2841053 patches a high risk Denial of Service (DOS) Vulnerability in the SAP Host Agent. Username/password-based authentication requests for the SAP Host Agent are delegated to operating systems or LDAP, Active Directory and other authentication platforms. Operating systems and authentication platforms often include mechanisms to limit parallel logon requests in order to protect against …
Read this Advisory

SAP Security Notes, January 2020

Note 2822074 patches a missing authorization check in the Business Object Repository (BOR) of SAP NetWeaver Application Server ABAP. The note introduces the switchable authorization check objects S_BOR_RFC and S_BOR_PRX to supplement the generic S_RFC authorization. The new objects should be activated using transaction SACF to secure remote access to BOR. Note 2844646 is a …
Read this Advisory

SAP Security Notes, December 2019

Note 2871877 patches multiple high priority vulnerabilities in Maintenance, Repair, and Overhaul (MRO) Workbenches in SAP Enterprise Asset Management (EAM). This includes missing authorizations checks for authenticated users that could lead to an escalation of privileges, and directory traversal caused by insufficient path validation. The latter vulnerability could enable attackers to read, overwrite, delete, or …
Read this Advisory

SAP Security Notes, November 2019

Hot News Note 2839864 updates Note 2808158 for a high risk OS Command Injection vulnerability in the SAP Diagnostics Agent. The vulnerability exists within the OS Command Plugin of the Agent, accessible through transaction GPA_ADMIN and the OS Command Console. Note 2839864 provides a patch for the LM_SERVICE for Support Pack levels 6-9 of the …
Read this Advisory

SAP Security Notes, October 2019

Hot News Note 2828682 patches a vulnerability in SAP Landscape Management Enterprise that could lead to the disclosure of critical information. Although the notes carries a CVSS score of 9.1/10, the vulnerability addressed by the note can only be executed under specific, uncommon conditions. In addition to implementing SAP Landscape Management 3.0 SP12 Patch 02, …
Read this Advisory

We are proud to work with some of the World’s most renowned brands.