Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerability in NetWeaver

Four of the Security Notes published by SAP as part of the September 2019 Security Patch Day are rated Hot News, the same as last month.

Four of the Security Notes published by SAP as part of the September 2019 Security Patch Day are rated Hot News, the same as last month.

Of the four Security Notes, only one is newly released. It addresses CVE-2019-0355 (CVSS score of 9.1), a code injection vulnerability in SAP NetWeaver AS for Java (Web Container).

The issue resides in the SAP default implementation of the HTTP PUT method and allows attackers to bypass the input validation check. Thus, an attacker could upload dynamic web content and can take control of the application, Onapsis, a firm specialized in securing Oracle and SAP products, explains.

An attacker able to successfully exploit the vulnerability could execute commands without authorization, access sensitive information on the system, and cause a denial of service (DoS) condition.

Two of the remaining Hot News notes are updates to previously released patches addressing an OS command injection vulnerability in SAP Diagnostics Agent (CVE-2019-0330) – one of the Security Notes is an update to the other, which in itself is an update to a July 2019 Security Note.

“A SolMan admin can abuse the Diagnostic Agent (SMDAgent) bug and gain access to any SAP system connected to the SolMan system. Even though many SolMan admins have admin privileges in other SAP systems, certain scenarios may allow an escalation of privileges to those who don’t,” Onapsis says.

The fourth Hot News note released this month is an update to a patch released in April 2018, which addresses issues with the browser control Google Chromium delivered with SAP Business Client.

This month, SAP also addressed High severity security flaws in SAP HANA Extended Application Services (Advanced Model). Tracked as CVE-2019-0363 and CVE-2019-0364, the bugs could allow an authenticated attacker to cause a DoS condition.

Seven of the Security Notes released as part of the September 2019 Security Patch Day are rated Medium severity, including a privilege escalation in the SAP HANA database, Cross-Site Scripting (XSS) in Supplier Relationship Management, and multiple flaws in Business One.

Other Medium risk bugs include a DoS in Kernel (RFC), GUI for Windows and GUI for Java, improper session management in Business Objects Business Intelligence Platform (CMC), information disclosure in XI Runtime Workbench of NetWeaver Process Integration, and an update to an August 2018 Note addressing a Server Side Request Forgery (SSRF) in BusinessObjects.

Additionally, SAP addressed a Low severity information disclosure bug in the SAP Business One client (CVE-2019-0353).

In addition to the notes published as part of the September 2019 Patch Day, SAP also released a series of patches after the second Tuesday of last month and before the second Tuesday of this month.

“With 16 new or updated Security Notes released today, the number of published Security Notes is lower than in August. However, some of them include multiple fixes or important updates and extensions to already published notes and thus reminding us that patching is and will remain a continuous major task for every SAP customer,” Onapsis notes.

Related: SAP Patches Highest Number of Critical Flaws Since 2014

Related: SAP Patches Critical Flaw in Diagnostics Agent

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet