SAP’s security notes for March 2026 address 14 vulnerabilities, including two critical “Hot News” items. The most severe patches fix a command injection vulnerability related to Apache Log4j and a remote code execution flaw in SAP NetWeaver Enterprise Portal. A high-risk Denial of Service (DoS) note for SAP Supply Chain Management was also released.
This advisory from Layer Seven Security summarizes the key patches released on March 10, 2026. The most critical vulnerabilities involve a Log4j issue in SAP Quotation Management Insurance, insecure deserialization in SAP NetWeaver, and a DoS risk in SAP SCM. These notes highlight the ongoing need for organizations to prioritize timely patching to secure their SAP landscapes from significant operational and security risks.
Key Takeaways for March 2026
- Critical Log4j Flaw: A command injection vulnerability in Apache Log4j bundled with SAP Quotation Management Insurance was patched under Hot News note 3698553.
- NetWeaver RCE: Hot News note 3714585 addresses a critical insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal that could allow remote code execution.
- High-Risk DoS: Note 3719502 patches a high-risk Denial of Service vulnerability in SAP Supply Chain Management.
- Total Patches: SAP released 14 security notes, including two Hot News, one high-priority, and 11 medium-priority issues.
What Are the Critical Vulnerabilities for March 2026?
SAP released two “Hot News” notes, reserved for the most critical vulnerabilities requiring immediate attention.
The first, note 3698553, patches a critical command injection vulnerability in Apache Log4j as bundled in SAP Quotation Management Insurance. The fix requires updating the package assembly for the FS-QUO-scheduler module to a secure version. As a temporary workaround, the log4j-1.2.17.jar file can be deleted from the {FS-QUO-scheduler}/lib directory.
The second, note 3714585, addresses an insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration. This flaw could lead to malicious remote code execution through the upload of user-supplied content. The patch, which is only available for NetWeaver AS Java 7.50, validates input before processing to secure the deserialization logic. For older, unmaintained versions, SAP refers to note 3660659 for security hardening guidance. Access to roles like superadminrole, systemadminrole, and contentadminrole should also be restricted.
What Was the High-Risk Vulnerability Patched?
Note 3719502 was released to patch a high-risk Denial of Service (DoS) vulnerability in SAP Supply Chain Management. The patch applies input validation for calls to a specific vulnerable Remote Function Module (RFM) to prevent excessive resource consumption that could render the system unavailable. The Cybersecurity Extension for SAP provides monitoring for calls to this vulnerable RFM.
What Other Vulnerabilities Were Addressed?
The remaining 11 security notes address medium-priority issues across various SAP products. This includes vulnerabilities in SAP NetWeaver AS ABAP, such as Server-Side Request Forgery (SSRF) and missing authorization checks, covered in notes 3689080, 3704740, and 3703856.
Frequently Asked Questions (FAQ)
Q: How many SAP security notes were released in March 2026?
A: SAP released 14 new security notes in March 2026, including two critical “Hot News” notes, one high-priority note, and 11 medium-priority notes.
Q: What was the most critical vulnerability patched in March 2026?
A: The most critical vulnerability was a command injection flaw in Apache Log4j bundled with SAP Quotation Management Insurance, addressed by Hot News note 3698553. This vulnerability allows for remote code execution.
Q: Is there a patch for the NetWeaver RCE vulnerability on older versions?
A: No, the direct patch for the insecure deserialization vulnerability (note 3714585) is only available for NetWeaver AS Java 7.50. For earlier versions, customers must apply security hardening measures as detailed in SAP note 3660659.