Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches 22 Vulnerabilities With February 2017 Security Updates

SAP on Tuesday announced the release of its February 2017 security updates, which includes 15 Patch Day Security Notes and 3 updates to previously released Patch Day Security Notes.

SAP on Tuesday announced the release of its February 2017 security updates, which includes 15 Patch Day Security Notes and 3 updates to previously released Patch Day Security Notes.

Only High risk and Medium severity vulnerabilities were addressed this month, with the highest CVSS score of the vulnerabilities being 8.5. Multiple patches were released for SAP’s HANA database management system.

According to ERPScan, a company specialized in securing SAP and Oracle products, SAP’s February 2017 Security Patch Day also saw the release of 7 Support Package Notes, for a total of 22 patches across products. 7 of the patches were rated High risk, while the remaining 15 were assessed as Medium severity.

The most common vulnerability type addressed this month is Missing Authorization check (5 patches), followed by Cross-Site Scripting (4 patches), denial of service (3 patches), and XML external entity (2 patches). The remaining 8 flaws include: directory transversal, implementation flaw, privilege escalation, buffer overflow, ABAP code injection, cross-site request forgery, clickjacking, and multiple issues.

The most important issues addressed this month include a Missing Authorization Check vulnerability (CVSS Base Score: 8.5) in SAP Netweaver Data Orchestration (which could allow an attacker to access the service without authorization and use service functionality that has restricted access), along with an Implementation flaw vulnerability (CVSS Base Score: 8.2) in SAP GRC Access Control EAM (which can cause unpredictable behavior of a system, troubles with stability and safety).

Additionally, SAP patched a Memory Corruption vulnerability (CVSS Base Score: 8) in SAP 3D Visual Enterprise Author, Generator and Viewer, which could allow an attacker to  inject a specially crafted code into a working memory which will be executed by the vulnerable application (the executed commands run with the same privileges as the service that executed the command).

Three of the issues were disclosed by ERPScan researchers, including multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3) – namely a denial of service that could allow an attacker to crush a process of a vulnerable component, and an Implementation Flaw (insecure default user creation policy) in third-party repository server Sinopia –, and an XML external entity vulnerability in SAP Visual Composer VC70RUNTIME (CVSS Base Score: 6.5).

The vulnerabilities in SAP HANA can be exploited together, ERPScan says: “The first vulnerability allows an attacker to create a new user over the Internet without authentication. After that, an adversary can create a new repository. If a package name contains special characters, the server will crash. As a result of the attack, the project would be unavailable meaning a stoppage of developing processes. Moreover, the vendor’s advisory states that other SAP HANA XS components also could be potentially impacted.”

In related news, Microsoft announced on Tuesday that a last minute issue forced the company to delay the release of its security updates for February 2017. It’s unclear when the patches will be made available.

Related: SAP Patches Multiple XSS and Missing Authorization Vulnerabilities

Related: SAP Resolves Multiple Information Disclosure Flaws

Related: In Review: SAP’s 3,660 Security and Support Notes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.