Connect with us

Hi, what are you looking for?



SAP Patches High Severity Flaws in Crystal Reports, NetWeaver

SAP this week released 6 Security Notes as part of its April 2019 Security Patch Day, including two that address High severity flaws in Crystal Reports and NetWeaver.

SAP this week released 6 Security Notes as part of its April 2019 Security Patch Day, including two that address High severity flaws in Crystal Reports and NetWeaver.

Tracked as CVE-2019-0285 (CVSS Base Score: 7.5), the vulnerability in Crystal Reports is an information disclosure issue that could provide an attacker with access to details such as system data, debugging information, and more.

The second High risk flaw is CVE-2019-0283 (CVSS Base Score: 7.1), a spoofing attack vulnerability in NetWeaver Java Application Server. An attacker could target the bug to spoof the data being displayed to the user.

Other vulnerabilities addressed this month include a missing authorization check for the ABAP INST function module (CVE-2019-0279, CVSS Base Score: 5.5), information disclosure in NetWeaver (CVE-2019-0282, CVSS Base Score: 5.3; CVE-2019-0278, CVSS Base Score: 5.1), and an XML External Entity (XXE) vulnerability in SAP HANA (CVE-2019-0284, CVSS Base Score: 5.1).

The XXE in HANA requires special attention as it can be “used in a targeted attack, based on its ease of exploitability and the potential negative impact to business continuity. If not patched, the vulnerability would allow an attacker to remotely access critical files from the server and steal any web app custom code,” Onapsis, a firm that specializes in securing SAP and Oracle applications, says.

The Security Patch Day also saw the release of updates for three previous security notes, including the Hot News note that delivers security updates for the browser control Google Chromium delivered with SAP Business Client, initially released as part of the April 2018 Patch Day.

Another update was released for a note addressing an XXE bug in SLD Registration of NetWeaver and ABAP Platform (CVE-2019-0265), while the third is for a missing authorization check in Enterprise Financial Services (CVE-2018-2484).

Advertisement. Scroll to continue reading.

SAP also rolled out two notes released after the second Tuesday of the last month but before the second Tuesday of this month, ERPScan, another firm that specializes in the security of Oracle and SAP applications, reveals.

Together with Support Package Notes, these bring the total of Security Notes released as part of the April 2019 SAP Security Patch Day to 13.

Missing authorization check was the most encountered vulnerability type this month, followed by information disclosure and XXE. SAP also patched directory traversal, spoofing, an implementation flaw, and a session fixation bug.

Related: SAP Patches Critical Vulnerability in HANA XSA

Related: SAP Releases ‘Hot News’ Security Notes on First Patch Day of 2019

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.