Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerabilities With October 2019 Security Updates

SAP this week released seven new security notes as part of the October 2019 Security Patch Day, with two of these notes rated Hot News (Critical).

SAP this week released seven new security notes as part of the October 2019 Security Patch Day, with two of these notes rated Hot News (Critical).

This month’s set of patches also includes two security notes released after the second Tuesday of last month but before this Tuesday, along with one update for a previously released patch, totalling 10 security notes.

The most important of these notes addresses a missing authentication check in the AS2 adapter of the B2B add-on for SAP NetWeaver Process Integration. Tracked as CVE-2019-0379, the vulnerability features a CVSS score of 9.3.

Successful exploitation of this bug could lead to the theft of sensitive data or to data manipulation, or it could provide attackers with access to administrative and other privileged functionality. The issue can be exploited remotely, explains Onapsis, a firm specialized in securing Oracle and SAP products.

The second Hot News note patches an information disclosure vulnerability in SAP Landscape Management enterprise edition, version 3.0. The security flaw is tracked as CVE-2019-0380 and has a CVSS score of 9.1.

The issue, Onapsis says, is related to the custom parameters that a user can add to providers (which contain information about the scripts and other properties) assigned to custom operations. Under certain, “uncommon” conditions these providers create the risk of information disclosure, SAP says.

This month, SAP also released a High priority security note addressing a binary planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering. Tracked as CVE-2019-0381 and featuring a CVSS score of 7.8 due to the fact that access to the local system is required for exploitation, the issue resides in the file search algorithm of the affected products.

“The algorithm searches too many directories, even if they are out of the application scope. Possible impacts are path traversals and directory climbing, enabling an attacker to read, overwrite, delete, and expose arbitrary files of the system. This can also lead to DLL hijacking as well as to privilege elevation,” Onapsis explains.

SAP addressed multiple Cross-Site Scripting (XSS) vulnerabilities in its products this month, including one in Customer Relationship Management (CVE-2019-0368), and multiple bugs in the SAP BusinessObjects Business Intelligence Platform (CVE-2019-0374, CVE-2019-0375, CVE-2019-0376, CVE-2019-0377, and CVE-2019-0378), all rated Medium priority.

Additionally, the German software maker addressed multiple flaws in SAP Financial Consolidation (CVE-2019-0370 and CVE-2019-0369), and a missing authorization check in the B2B Content Manager of the B2B add-on for SAP NetWeaver Process Integration (CVE-2019-0367).

The company released an update for a security note released in September, which patches a denial-of-service (DoS) issue in SAP Kernel (RFC), SAP GUI for Windows and SAP GUI for Java (CVE-2019-0365).

Related: SAP Patches Critical Vulnerability in Business Client

Related: SAP Patches Highest Number of Critical Flaws Since 2014

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet