Connect with us

Hi, what are you looking for?



SAP Patches Highest Number of Critical Flaws Since 2014

SAP’s Security Patch Day updates for August 2019 address three new critical vulnerabilities affecting the company’s products. This is the highest number of critical flaws fixed on the same day since 2014.

SAP’s Security Patch Day updates for August 2019 address three new critical vulnerabilities affecting the company’s products. This is the highest number of critical flaws fixed on the same day since 2014.

SAP has released a total of 12 new patches (Security Notes) that address vulnerabilities in the company’s NetWeaver, Business Client, Commerce Cloud, HANA, ABAP, BusinessObjects, Enable Now, and Gateway products.

Four of the patches have been classified as critical (Hot News), including one that is an update to a Security Note initially released in April 2018 for Business Client and which, to date, has been updated ten times, according to Onapsis, a company that specializes in protecting SAP and Oracle applications.

The other three Hot News patches are for a remote code execution flaw in the NetWeaver UDDI Server (CVE-2019-0351), code injection vulnerabilities in Commerce Cloud (CVE-2019-0344), and a server-side request forgery (SSRF) flaw in the NetWeaver Application Server for Java (CVE-2019-0345).

Onapsis pointed out that CVE-2019-0351 is the vulnerability with the highest CVSS score patched this year, 9.9. The vulnerability is caused by a buffer overflow and it allows an attacker to inject code into working memory.

“Because of the low complexity of this attack scenario in conjunction with the wide range of possible damages (e.g. information disclosure, data manipulation and destruction) up to the complete control of the product, this Note is considered as the most critical one to be released by SAP in 2019,” Onapsis said in a blog post.

The SSRF vulnerability tracked as CVE-2019-0345 was discovered by Onapsis researchers. The company noted that it allows an attacker to gain admin access to the Management Console for SAP Java systems.

“The worst-case scenarios include remote OS execution on the system and stopping SAP system generation, a denial of service (DoS) attack,” Onapsis explained.

Advertisement. Scroll to continue reading.

Of the remaining vulnerabilities, two have been classified as “high severity.” They include a DoS flaw in SAP HANA and a missing authorization check issue in a SAP kernel package that can lead to information disclosure and data manipulation.

“Considering the number of four HotNews and two High Priority Security Notes and taking into account the wide range of attack vectors exploitable in various SAP platforms, the August Patch Day demonstrates impressively the importance of keeping your systems up to date,” Onapsis said.

According to Onapsis, a total of 23 Security Notes have been released by SAP since the previous Patch Day updates.

SAP August 2019 patches

Related: PoC Exploits for Old SAP Configuration Flaws Increase Risk of Attacks

Related: SAP Patches Critical Flaw in Diagnostics Agent

Related: SAP Patches High Severity Flaws in Crystal Reports, NetWeaver

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights