Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

SAP Patches Critical Vulnerability in HANA XSA

SAP this week released its February 2019 set of security fixes, to address over a dozen vulnerabilities across its product portfolio, including a Hot News flaw in SAP HANA Extended Application Services, advanced model.

SAP this week released its February 2019 set of security fixes, to address over a dozen vulnerabilities across its product portfolio, including a Hot News flaw in SAP HANA Extended Application Services, advanced model.

A total of 13 Security Notes were issued as part of this month’s SAP Security Patch Day, along with 3 updates to previously released security notes. Of these, 2 Notes are rated Hot News, 4 rated High priority, and 10 considered Medium priority.

Affected SAP products this month include Business Client, HANA XSA, ABAP Platform (SLD Registration), Disclosure Management, Solution Tools Plug-In (ST-PI), Note Assistant, Business Objects, Manufacturing Integration and Intelligence, Business One Mobile Android App, and WebIntelligence BILaunchPad (Enterprise).

The first of the Hot News Notes (CVSS score of 9.8) is an update to a Security Note released on April 2018 Patch Day and includes security updates for the browser control Chromium delivered with SAP Business Client. 

Featuring a CVSS score of 9.4, the Hot News Note for HANA XSA addresses a missing authentication check that could allow an attacker to gain access to high-privileged functionalities, in addition to being able to read, modify, or delete sensitive information. 

The security flaw impacts XS Advanced selected versions in both SAP HANA 1 and SAP HANA 2, Onapsis, a company specialized in securing Oracle and SAP applications, says

Affected customers should upgrade the XS Advanced component. If that is not possible in the short term, a workaround to prevent attacks is available, relying on disabling the affected component if not in use. 

Another vulnerability addressed in HANA XSA this month was a potential Information Disclosure rated Medium severity (CVSS score of 6.8). 

The High priority Security Notes in this month’s SAP Security Patch Day include an XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform, Missing Authorization check in Disclosure Management, and access to Easy Access Menu in ABAP Platform. 

Additionally, SAP issued an update to a security note released on November 2014 Patch Day, a potential information disclosure relating to database server file system. Successful exploitation could lead to an attacker accessing information stored in files on the operating system level on the database server.

This month, SAP also addressed Cross-Site Scripting (XSS) flaws, an Unrestricted File Upload vulnerability, a cross site request forgery, and a Directory Traversal vulnerability. 

Related: SAP Releases ‘Hot News’ Security Notes on First Patch Day of 2019

Related: SAP Patches Critical Vulnerability in Hybris Commerce

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...