Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerabilities With October 2019 Security Updates

SAP this week released seven new security notes as part of the October 2019 Security Patch Day, with two of these notes rated Hot News (Critical).

SAP this week released seven new security notes as part of the October 2019 Security Patch Day, with two of these notes rated Hot News (Critical).

This month’s set of patches also includes two security notes released after the second Tuesday of last month but before this Tuesday, along with one update for a previously released patch, totalling 10 security notes.

The most important of these notes addresses a missing authentication check in the AS2 adapter of the B2B add-on for SAP NetWeaver Process Integration. Tracked as CVE-2019-0379, the vulnerability features a CVSS score of 9.3.

Successful exploitation of this bug could lead to the theft of sensitive data or to data manipulation, or it could provide attackers with access to administrative and other privileged functionality. The issue can be exploited remotely, explains Onapsis, a firm specialized in securing Oracle and SAP products.

The second Hot News note patches an information disclosure vulnerability in SAP Landscape Management enterprise edition, version 3.0. The security flaw is tracked as CVE-2019-0380 and has a CVSS score of 9.1.

The issue, Onapsis says, is related to the custom parameters that a user can add to providers (which contain information about the scripts and other properties) assigned to custom operations. Under certain, “uncommon” conditions these providers create the risk of information disclosure, SAP says.

This month, SAP also released a High priority security note addressing a binary planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering. Tracked as CVE-2019-0381 and featuring a CVSS score of 7.8 due to the fact that access to the local system is required for exploitation, the issue resides in the file search algorithm of the affected products.

“The algorithm searches too many directories, even if they are out of the application scope. Possible impacts are path traversals and directory climbing, enabling an attacker to read, overwrite, delete, and expose arbitrary files of the system. This can also lead to DLL hijacking as well as to privilege elevation,” Onapsis explains.

SAP addressed multiple Cross-Site Scripting (XSS) vulnerabilities in its products this month, including one in Customer Relationship Management (CVE-2019-0368), and multiple bugs in the SAP BusinessObjects Business Intelligence Platform (CVE-2019-0374, CVE-2019-0375, CVE-2019-0376, CVE-2019-0377, and CVE-2019-0378), all rated Medium priority.

Additionally, the German software maker addressed multiple flaws in SAP Financial Consolidation (CVE-2019-0370 and CVE-2019-0369), and a missing authorization check in the B2B Content Manager of the B2B add-on for SAP NetWeaver Process Integration (CVE-2019-0367).

The company released an update for a security note released in September, which patches a denial-of-service (DoS) issue in SAP Kernel (RFC), SAP GUI for Windows and SAP GUI for Java (CVE-2019-0365).

Related: SAP Patches Critical Vulnerability in Business Client

Related: SAP Patches Highest Number of Critical Flaws Since 2014

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.