SAP Security Notes

Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems

SAP Security Notes, March 2018

Note 2331141 addresses a high-risk SQL injection vulnerability in the FI Localization tables of S/4HANA. The corrections included in the support packages listed in the note will enable screening of user input for dangerous SQL statements. The formula expressions delivered in Note 2261750 are a prerequisite for user input validation checks delivered via the note. …
Read this Advisory SAP Security Notes, March 2018

SAP Security Notes, February 2018

Note 2589129 addresses multiple high-risk vulnerabilities in HANA Extended Services Advanced (XSA) Server. XSA provides a development and runtime platform for HANA applications. XSA delivers improved reliability and scalability over HANA XS by providing separate runtime environments for applications. Applications operate in trust zones known as spaces. Applications deployed to the same space can share …
Read this Advisory SAP Security Notes, February 2018

SAP Security Notes, January 2018

Note 2580634 provides instructions for removing a malicious file insertion vulnerability in the Process Control and Risk Management applications of SAP Governance, Risk and Compliance (GRC). The vulnerability could be exploited to upload malicious scripts or other forms of malware to SAP servers. The note includes manual instructions for implementing package GRFN_DOCUMENT_ WT_CHECK of the …
Read this Advisory SAP Security Notes, January 2018

SAP Security Notes, December 2017

SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute …
Read this Advisory SAP Security Notes, December 2017

SAP Security Notes, November 2017

Note 2357141 includes updated instructions for removing a critical OS command injection vulnerability in Report for Terminology Export. This is a component of the Basis area Terminology and Glossary (transaction STERM) used to maintain standard terminology for management reporting, financial controlling, product development, and other areas.  Report for Terminology Export does not sufficiently validate user …
Read this Advisory SAP Security Notes, November 2017

SAP Security Notes, October 2017

SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute …
Read this Advisory SAP Security Notes, October 2017

SAP Security Notes, September 2017

Note 2408073 prepares systems to handle digitally signed SAP Notes. Digitally signed Notes will be issued by SAP in the future to protect against the risk of uploading Notes containing malware.  Digital signatures will support authentication and the identification of changes performed by attackers to SAP-delivered Notes.  SAP recommends only uploading digital signed Notes once …
Read this Advisory SAP Security Notes, September 2017

SAP Security Notes, August 2017

Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by JavaScripts to exchange data between servers and clients to update parts of web pages without refreshing or reloading entire pages.  This minimizes network bandwidth usage and also improves response times through rapid operations. …
Read this Advisory SAP Security Notes, August 2017

SAP Security Notes, July 2017

Note 2442993 deals with a high-risk vulnerability in the Host Agent for SAP HANA. The Host Agent is automatically installed with every SAP instance on NetWeaver 7.02 and higher. The stand-alone component is used for controlling and monitoring SAP and non-SAP instances, databases and operating systems. Note 2442993 recommends upgrading to version 7.21 PL25 to …
Read this Advisory SAP Security Notes, July 2017

SAP Security Notes, June 2017

Note 2416119 was reissued in June with updated release information and solution instructions.  The note provides instructions for maintaining the property URLCheck ServerCertificate in Java Application Servers. The instructions are intended to mitigate the risk of man-in-the-middle attacks by securing client-server HTTPS connections. Certificates signed by Certificate Authorities should be maintained in client keystores to …
Read this Advisory SAP Security Notes, June 2017

SAP Security Notes, May 2017

Note 2380277 addresses a high priority memory corruption vulnerability in the GUI control component of the Internet Graphics Server (IGS). GUI control is a self-contained component of the presentation server in ABAP systems. The Note contains corrections for logical errors in memory management within the component. The errors could be exploited by attackers to extract …
Read this Advisory SAP Security Notes, May 2017

SAP Security Notes, April 2017

Note 2419592 includes further corrections for a code injection vulnerability in TREX that was originally patched by SAP through Note 2234226 in February 2016. The vulnerability impacts the TREXNet protocol used for internal communications by TREX components and servers. TREXNet communication does not require any authentication. Therefore, the protocol can be abused to execute dangerous …
Read this Advisory SAP Security Notes, April 2017

SAP Security Notes, March 2017

Note 2424173 deals with vulnerabilities in SAP HANA that were the subject of media attention in March. This includes coverage from the television news channel MSNBC. The vulnerabilities impact areas such as User Self Service Tools that support account-related tasks including password resets and self-registration through a web interface. The Note carries a CVSS of …
Read this Advisory SAP Security Notes, March 2017

SAP Security Notes, February 2017

Note 2410061 patches a dangerous Distributed Denial of Service (DDoS) vulnerability in the Data Orchestration Engine (DOE) Administration Portal. The DOE is used to access the SAP NetWeaver Mobile Administrator to manage and monitor mobile system landscapes. This includes connecting mobile clients, deploying agents and packages to mobile devices, managing single sign-on, and other tasks. …
Read this Advisory SAP Security Notes, February 2017

SAP Security Notes, January 2017

Note 2407862 deals with a highly dangerous buffer overflow vulnerability in Sybase Software Asset Management (SySAM) that scores almost 10/10 using the Common Vulnerability Scoring System.  SySAM performs license management for products such as ASE, ESP, PowerDesigner and the Replication Server. The vulnerability arises from the Flexera Flexnet Publisher software bundled in SySAM. The third …
Read this Advisory SAP Security Notes, January 2017

We are proud to work with some of the World’s most renowned brands.