Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerability in Business Client

SAP today released its September 2018 set of patches to address a total of 14 vulnerabilities in its products, including a critical bug in SAP Business Client.

SAP today released its September 2018 set of patches to address a total of 14 vulnerabilities in its products, including a critical bug in SAP Business Client.

Featuring a CVSS score of 9.8 and rated Hot News, the vulnerability impacts the browser control Chromium delivered with SAP Business Client. The issue was initially addressed on April 2018 Patch Day, but SAP decided to update the Security Note today.

Of the remaining 13 Security Notes included in this month’s Security Patch Day, three were rated High severity, 9 Medium risk, and 1 Low severity. 

Impacted SAP products include Business One, BEx Web Java Runtime Export Web Service, HANA, WebDynpro, NetWeaver AS Java, Hybris Commerce, Plant Connectivity, Adaptive Server Enterprise, HCM Fiori “People Profile” (GBX01HR), Mobile Platform, Enterprise Financial Services, and Business One Android application. 

SAP also released 8 Support Package Notes this month, for a total of 22 Security Notes, ERPScan, a company that specializes in securing Oracle and SAP products, reveals. 4 of the notes were released over the course of the last month. 

Missing Authorization Check was the most encountered type of vulnerability, followed by information disclosure, Cross-Site Scripting, and XML External Entity issues. SAP also addressed implementation flaws, denial of service, SQL injection, buffer overflow, and server side request forgery vulnerabilities. 

The most important bugs closed in September (all featuring a CVSS Base Score of 8.8) include a Missing Authorization check vulnerability in SAP ECC Sales Support, an Information Disclosure vulnerability in Business One and HANA Installer, and a Missing XML Validation (XXE) vulnerability in BEx Web Java Runtime Export Web Service.

Another important bug was a denial of service vulnerability in SAP HANA, Extended Application Services Classic Model. Tracked as CVE-2018-2465, the flaw has a CVSS score of 7.5 and is considered High risk.

Discovered by Onapsis researchers, the flaw can be exploited by a remote, unauthenticated attacker through a large crafted request to a default API or to ODATA services present in a HANA XS system abusing the XML parsing, the company says.

“Even though a Denial Of Service attack is the easiest way to exploit this vulnerability, a more complex attack could lead to a potential remote code execution (RCE), that could lead to even worse scenarios for the affected users,” Sebastian Bortnik, Director Of Research for Onapsis, told SecurityWeek in an emailed comment.

A Cross-Site Scripting issue in NetWeaver AS Java Logon Application (versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50) can lead to defacements, user credentials compromises, or user impersonation, Onapsis, which also focuses on securing Oracle and SAP applications, explains. 

Related: SAP Releases August 2018 Security Updates

Related: SAP Releases Critical Updates for Two Security Notes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.