Connect with us

Hi, what are you looking for?


Application Security

SAP Patches Critical Vulnerability in HANA XSA

SAP this week released its February 2019 set of security fixes, to address over a dozen vulnerabilities across its product portfolio, including a Hot News flaw in SAP HANA Extended Application Services, advanced model.

SAP this week released its February 2019 set of security fixes, to address over a dozen vulnerabilities across its product portfolio, including a Hot News flaw in SAP HANA Extended Application Services, advanced model.

A total of 13 Security Notes were issued as part of this month’s SAP Security Patch Day, along with 3 updates to previously released security notes. Of these, 2 Notes are rated Hot News, 4 rated High priority, and 10 considered Medium priority.

Affected SAP products this month include Business Client, HANA XSA, ABAP Platform (SLD Registration), Disclosure Management, Solution Tools Plug-In (ST-PI), Note Assistant, Business Objects, Manufacturing Integration and Intelligence, Business One Mobile Android App, and WebIntelligence BILaunchPad (Enterprise).

The first of the Hot News Notes (CVSS score of 9.8) is an update to a Security Note released on April 2018 Patch Day and includes security updates for the browser control Chromium delivered with SAP Business Client. 

Featuring a CVSS score of 9.4, the Hot News Note for HANA XSA addresses a missing authentication check that could allow an attacker to gain access to high-privileged functionalities, in addition to being able to read, modify, or delete sensitive information. 

The security flaw impacts XS Advanced selected versions in both SAP HANA 1 and SAP HANA 2, Onapsis, a company specialized in securing Oracle and SAP applications, says

Affected customers should upgrade the XS Advanced component. If that is not possible in the short term, a workaround to prevent attacks is available, relying on disabling the affected component if not in use. 

Advertisement. Scroll to continue reading.

Another vulnerability addressed in HANA XSA this month was a potential Information Disclosure rated Medium severity (CVSS score of 6.8). 

The High priority Security Notes in this month’s SAP Security Patch Day include an XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform, Missing Authorization check in Disclosure Management, and access to Easy Access Menu in ABAP Platform. 

Additionally, SAP issued an update to a security note released on November 2014 Patch Day, a potential information disclosure relating to database server file system. Successful exploitation could lead to an attacker accessing information stored in files on the operating system level on the database server.

This month, SAP also addressed Cross-Site Scripting (XSS) flaws, an Unrestricted File Upload vulnerability, a cross site request forgery, and a Directory Traversal vulnerability. 

Related: SAP Releases ‘Hot News’ Security Notes on First Patch Day of 2019

Related: SAP Patches Critical Vulnerability in Hybris Commerce

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...