SAP Security Notes
Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems
SAP Security Notes, March 2018
Note 2331141 addresses a high-risk SQL injection vulnerability in the FI Localization tables of S/4HANA. The corrections included in the support packages listed in the note will enable screening of user input for dangerous SQL statements. The formula expressions delivered in Note 2261750 are a prerequisite for user input validation checks delivered via the note. …
SAP Security Notes, February 2018
Note 2589129 addresses multiple high-risk vulnerabilities in HANA Extended Services Advanced (XSA) Server. XSA provides a development and runtime platform for HANA applications. XSA delivers improved reliability and scalability over HANA XS by providing separate runtime environments for applications. Applications operate in trust zones known as spaces. Applications deployed to the same space can share …
SAP Security Notes, January 2018
Note 2580634 provides instructions for removing a malicious file insertion vulnerability in the Process Control and Risk Management applications of SAP Governance, Risk and Compliance (GRC). The vulnerability could be exploited to upload malicious scripts or other forms of malware to SAP servers. The note includes manual instructions for implementing package GRFN_DOCUMENT_ WT_CHECK of the …
SAP Security Notes, December 2017
SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute …
SAP Security Notes, November 2017
Note 2357141 includes updated instructions for removing a critical OS command injection vulnerability in Report for Terminology Export. This is a component of the Basis area Terminology and Glossary (transaction STERM) used to maintain standard terminology for management reporting, financial controlling, product development, and other areas. Report for Terminology Export does not sufficiently validate user …
SAP Security Notes, October 2017
SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute …
SAP Security Notes, September 2017
Note 2408073 prepares systems to handle digitally signed SAP Notes. Digitally signed Notes will be issued by SAP in the future to protect against the risk of uploading Notes containing malware. Digital signatures will support authentication and the identification of changes performed by attackers to SAP-delivered Notes. SAP recommends only uploading digital signed Notes once …
SAP Security Notes, August 2017
Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by JavaScripts to exchange data between servers and clients to update parts of web pages without refreshing or reloading entire pages. This minimizes network bandwidth usage and also improves response times through rapid operations. …
SAP Security Notes, July 2017
Note 2442993 deals with a high-risk vulnerability in the Host Agent for SAP HANA. The Host Agent is automatically installed with every SAP instance on NetWeaver 7.02 and higher. The stand-alone component is used for controlling and monitoring SAP and non-SAP instances, databases and operating systems. Note 2442993 recommends upgrading to version 7.21 PL25 to …
SAP Security Notes, June 2017
Note 2416119 was reissued in June with updated release information and solution instructions. The note provides instructions for maintaining the property URLCheck ServerCertificate in Java Application Servers. The instructions are intended to mitigate the risk of man-in-the-middle attacks by securing client-server HTTPS connections. Certificates signed by Certificate Authorities should be maintained in client keystores to …
SAP Security Notes, May 2017
Note 2380277 addresses a high priority memory corruption vulnerability in the GUI control component of the Internet Graphics Server (IGS). GUI control is a self-contained component of the presentation server in ABAP systems. The Note contains corrections for logical errors in memory management within the component. The errors could be exploited by attackers to extract …
SAP Security Notes, April 2017
Note 2419592 includes further corrections for a code injection vulnerability in TREX that was originally patched by SAP through Note 2234226 in February 2016. The vulnerability impacts the TREXNet protocol used for internal communications by TREX components and servers. TREXNet communication does not require any authentication. Therefore, the protocol can be abused to execute dangerous …
SAP Security Notes, March 2017
Note 2424173 deals with vulnerabilities in SAP HANA that were the subject of media attention in March. This includes coverage from the television news channel MSNBC. The vulnerabilities impact areas such as User Self Service Tools that support account-related tasks including password resets and self-registration through a web interface. The Note carries a CVSS of …
SAP Security Notes, February 2017
Note 2410061 patches a dangerous Distributed Denial of Service (DDoS) vulnerability in the Data Orchestration Engine (DOE) Administration Portal. The DOE is used to access the SAP NetWeaver Mobile Administrator to manage and monitor mobile system landscapes. This includes connecting mobile clients, deploying agents and packages to mobile devices, managing single sign-on, and other tasks. …
SAP Security Notes, January 2017
Note 2407862 deals with a highly dangerous buffer overflow vulnerability in Sybase Software Asset Management (SySAM) that scores almost 10/10 using the Common Vulnerability Scoring System. SySAM performs license management for products such as ASE, ESP, PowerDesigner and the Replication Server. The vulnerability arises from the Flexera Flexnet Publisher software bundled in SySAM. The third …