Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Issues With November 2017 Security Updates

SAP today released its November 2017 set of patches to address 22 vulnerabilities across its product portfolio, including three issues rated Very High priority (Hot News).

SAP today released its November 2017 set of patches to address 22 vulnerabilities across its product portfolio, including three issues rated Very High priority (Hot News).

The enterprise software maker included 13 patches in this month’s SAP Security Patch Day, to which 9 patches that are updates to previously released security notes are added.

Three of the security notes address vulnerabilities considered Hot News, one patches a High severity issue, while the remaining 18 security notes address Moderate risk bugs. The highest CVSS score of the patches is 9.1.

This is the first SAP Security Patch Day to include Hot News security notes after one of the April 2017 security patches addressed a Very High priority vulnerability in TREX / BWA that could allow an attacker to execute commands on the affected system.

All three Hot News security notes were updates to previously released notes. One of them was patched in September 2016 and is a code injection vulnerability in Text Conversion. Onapsis, a company that specializes in security SAP and Oracle applications and which reported the vulnerability, explains that SAP updated the security note with some additional correction instructions.

The other two flaws were both resolved in September 2017 and represent an information disclosure in SAP Landscape Management (LaMa) 3.0 and an information disclosure in LVM 2.1 and LaMa 3.0. Both bugs result in an attacker being able to access relevant data under certain conditions, Onapsis says.

According to ERPScan, another company that specializes in the security of SAP and Oracle software, 10 Support Package Notes should be added to the aforementioned 22 security notes, for a total of 32 patches (3 Hot News, 2 High, 26 Medium, and 1 Low).

13 of all the patches are updates to previously released notes and 15 of the notes were released after last month’s Security Patch Day but before today, ERPScan says.

SAP resolved 6 implementation flaws this month, 5 XSS bugs, 5 Information disclosure issues, 5 missing authorization checks, 3 XML external entity flaws, 2 directory traversal bugs, a local command execution, an OS command execution, a XSFR, a clickjacking bug, a privilege escalation flaw, and a log injection issue.

Some of the most dangerous vulnerabilities addressed this month include an implementation flaw (CVSS Base Score: 8) in SAP Management Console, a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1) in SAP SAPUI5, and a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1) in SAP BusinessObjects Analysis Edition for OLAP.

SAP also resolved a couple of issues impacting SAP Hana, namely an information disclosure vulnerability in SAP HANA Extended Application Services (XS Advanced) and an information disclosure in SAP NetWeaver Instance Agent Service.

Related: SAP Resolves 16 Vulnerabilities with September 2017 Patches

Related: SAP Patches Critical Code Injection Flaw in TREX

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.