Connect with us

Hi, what are you looking for?



In Review: SAP’s 3,660 Security and Support Notes

SAP’s Monthly Patches Dominated by Hot News and High Priority Flaws

SAP’s Monthly Patches Dominated by Hot News and High Priority Flaws

To date, SAP has issued more than 3,660 Security Notes and Support Package Implementation Notes to address thousands of vulnerabilities in its business critical applications, a new report from ERPScan reveals.

Of the total of 3,663 Security Notes that SAP has issued through June 2016, 212 were rated Hot News and 2,383 were rated High Priority, meaning that only around 25% of the flaws were Medium (798) and Low (145) priority.

Cross-Site Scripting (20.47%), Missing authorization (20.45%) and Directory traversal (11.96%) were the most common types of flaws, accounting for 52% of all vulnerabilities, ERPScan’s report shows. Configuration issues (10.52%) and SQL-injection (7.64%) round up top five issue types, followed by Information disclosure (7.33%) and Cross-Site Request Forgery (6.57%).

The approximate number of monthly SAP Security Notes has dropped to only 22 in 2016, but it was at 61 in 2011. It dropped to 53 notes in 2012 and registered a significant decrease in 2013, when it was of only 30 per month. However, the number of vulnerabilities resolved in SAP products is higher than that, because SAP fixes multiple flaws with a single patch now, ERPScan says.

Three years ago, the company used to issue a patch for each discovered vulnerability, but the newly adopted approach makes it easier to apply the security updates that arrive on the second Tuesday of each month. However, SAP doesn’t offer information on the number of vulnerabilities each patch resolves, and analysis and correlation with CVE is more difficult now, the report says.

What’s more, around 85% of vulnerabilities are usually closed internally, meaning that information about them and the patches themselves are released to customers and partners only. Furthermore, of the remaining 15% of vulnerabilities, which are discovered by external researchers, some are not assigned to CVE.

Advertisement. Scroll to continue reading.

Over the past few years, SAP also extended the list of vulnerable platforms and it now includes modern cloud and mobile technologies such as HANA. Cloud and mobile technologies rendered SAP systems more exposed to the Internet, meaning that every vulnerability discovered in these services could affect thousands of multi-national companies (after all, 90% of the Fortune 2000 companies use SAP).

“For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affect 6000+ companies that use SAP HANA,” ERPScan notes.

The report also says that almost every SAP module has vulnerabilities, with CRM being in the lead, followed by EP and SRM. However, it appears that researchers and hackers were more attracted by the vulnerabilities affecting SAP HANA and SAP Mobile apps when compared to the traditional modules.

There was also a growth in the number of vulnerabilities in industry-specific solutions, with over 160 vulnerabilities detected in SAP’s products designed for particular industries. The SAP industry-specific solutions for Banking, Retail, Advertising Management, Automotive, and Utilities are the most vulnerable products.

There are more than 36,000 SAP systems worldwide, yet most of them (69%) should not be available directly via the Internet. However, there are numerous unnecessarily exposed services that render systems vulnerable, and almost half of them “are implemented in countries where wide adoption of new technologies takes place (such as USA, India, and China),” the report claims.

Related: SAP Patches Critical Clickjacking Vulnerabilities

Related: SAP Patches Critical Code Injection, XSS Vulnerabilities

Related: Five-year-old SAP Vulnerability Haunts Global Businesses

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.