Connect with us

Hi, what are you looking for?



SAP Patches 17 Vulnerabilities With May 2017 Security Update

SAP on Tuesday released its May 2017 set of security fixes to address 17 issues in its products, the lowest number of monthly vulnerabilities over the past six months.

SAP on Tuesday released its May 2017 set of security fixes to address 17 issues in its products, the lowest number of monthly vulnerabilities over the past six months.

Only 9 of the security notes were released on this SAP Security Patch Day, SAP reveals. 4 others were released after the second Tuesday of the previous month and before the second Tuesday of this month, while 4 more are updates to previously released notes.

Missing Authorization Checks (5 vulnerabilities) and Cross-Site Scripting (5 flaws) represented the most common vulnerability types addressed this month. Additionally, SAP resolved two Implementation flaws, along with an XML external entity, one denial of service, a buffer overflow, one clickjacking, and an SQL injection.

The highest CVSS score of the vulnerabilities resolved this month is 6.5. One of the flaws, however, was assessed a Hot News rating, while another was considered High priority, ERPScan notes. The remaining 15 issues included 14 Medium risk vulnerabilities and one Low severity bug.

As security firm  Onapsis explains, the High priority vulnerability wasn’t an issue directly in the SAP platform, but a bug in a third-party library that SAP uses. Resolved via note #2380277 (titled “Memory Corruption Vulnerability in IGS”), the bug allows an attacker to update a library component that is being used by Internet Graphics Server (IGS).

The library has been vulnerable for the past year, but it is easy to resolve and there are no reports of it being widely exploited, Onapsis notes. The issue affects products from companies such as Oracle and RedHat too, but they updated it last year.

The most important of the issues SAP Security Patch Day addressed include two missing authorization checks in SAP Defense Forces & Public Security DFPS module (CVSS Base Score of 6.5 and 6.3, respectively), a missing authorization check in SAP NetWeaver ADBC Demo Programs (6.3), and a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Authentication and SSO (6.1).

Advertisement. Scroll to continue reading.

A total of 4 vulnerabilities in DFPS module were addressed this month, namely 3 missing authorization checks affecting DFPS and one update to a patch for SQL Injection in the same module. Overall, SAP addressed 18 vulnerabilities in this module (3 High priority and 15 Medium risk). 11 of the bugs were resolved over the past six months.

“Missing authorization check vulnerability usually allows a perpetrator to read, modify or delete data, which has restricted access. When it comes to the defense industry and armed forces, the information can be critical in terms of International security and the effect of even such low-impact vulnerabilities could be devastating,” ERPScan notes.

All but one of the May 2017 SAP Security Patch Day notes are automatic ones, meaning that they have an automatic effect and customers won’t have to take additional steps to secure their deployments, Onapsis says. The only note that has manual steps is #2142551 (“Whitelist Service for Clickjacking Framing Protection in AS ABAP”).

Related: SAP Patches Critical Code Injection Flaw in TREX

Related: SAP Vulnerability Exposes Enterprises to Ransomware, Other Attacks

Related: SAP Patches Five Vulnerabilities in HANA Database Platform

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.