Connect with us

Hi, what are you looking for?



SAP Becomes CVE Numbering Authority

Released this week with fixes for 11 vulnerabilities, SAP’s Security Patch Day for December 2017 marks a change in the history of SAP patches: it also includes CVE numbers in the titles of the security notes.

Released this week with fixes for 11 vulnerabilities, SAP’s Security Patch Day for December 2017 marks a change in the history of SAP patches: it also includes CVE numbers in the titles of the security notes.

The change is a result of SAP becoming a CVE Numbering Authority (CNA) and now being authorized to assign CVE’s to vulnerabilities in their products. The company has the goal of disclosing the CVE numbers of addressed vulnerabilities on its Security Patch day, in an effort to increase “transparency and facilitate faster patch consumption for all SAP customers.”

Of the security notes the company included in this month’s Security Patch day, one was Hot News, or Very High priority, featuring a CVSS score of 9.1. The flaw, an OS Command Injection vulnerability in Report for Terminology Export impacting SAP Netweaver Documentation and Translation tools, is an update to a security note released in November 2017.

The note, Onapsis says, is actually a re-released version, as it was initially published one year ago. At the time, SAP removed the affected lines of code, as they were obsolete. All the code that used to run when the report was executed in background was removed, but the original patch apparently failed to properly solve the issue.

In the re-release, SAP added a new step toward solving the bug. Thus, in addition to implementing the correction instructions referenced by the SAP note, impacted customers also need to follow the manual steps in the document Manual instructions for creating GUI status related to note 2357141.pdf, which is available on the SAP customer portal.

“Onapsis Research Labs has tested the component and discovered that the previous patch properly solves the bug. Despite securing the vulnerability, it introduced a little malfunction in the SAP software. Even though the relevant report is secure, after installing the patch the report interface then breaks in the SAP GUI by being unresponsive to interactions such as button clicks,” Onapsis explains.

The new instructions provide information on how to manually correct the issue to execute the report and also remain secure. According to Onapsis, there are no additional security concerns related to the re-released security note and those who have already applied the original patch are protected. Those who haven’t should apply the note as soon as possible, considering that it is Hot News.

Advertisement. Scroll to continue reading.

The new set of SAP security patches also include three High priority notes. One addresses an Additional Authentication check in Trusted RFC on same system (CVE-2017-16689), another fixes a Missing Authentication check in SAP BI Promotion Management Application (CVE-2017-16684), while the third updates an August 2014 patch note: SBOP solution for Apache Struts1.x vulnerability (CVE-2014-0094).

The rest of the flaws addressed this month were Medium priority. The most important of them include a Cross-Site Scripting (XSS) vulnerability in SAP BW Universal Data Integration (CVE-2017-16685), Server-Site Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service (CVE-2017-16678), Denial of service (DOS) in SAP BusinessObjects Platform (CVE-2017-16683), and an XSS vulnerability in BI Promotion Management Application (CVE-2017-16681).

The 11 security notes released as part of the December 2017 Security Patch day are accompanied by 4 updates to previously released notes and 4 support package notes, for a total of 19 security notes, ERPScan reveals. 6 of the notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Implementation flaw was the most common type of vulnerability addressed this month (5 flaws), followed by XSS (2 bugs), Information Disclosure (2), Missing Authorization Check (2), Denial of Service (2), OS command execution (2), Remote Command Execution (1), Open Redirect (1), SSRF (1), and Log injection (1).

The Log injection vulnerability (CVE-2017-16687) impacts SAP HANA XS classic user self-service and features a CVSS Base Score of 5.3. By exploiting the flaw, an attacker could inject arbitrary data in the audit log. By flooding it with a large amount of illegal data, the audit log can no longer be easily analyzed. The operation could also result in a rapid depletion of disk space and in damage to the event log.

Related: SAP Patches Critical Issues With November 2017 Security Updates

Related: SAP Patches Critical Code Injection Flaw in TREX

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.