Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Highest Number of Critical Flaws Since 2014

SAP’s Security Patch Day updates for August 2019 address three new critical vulnerabilities affecting the company’s products. This is the highest number of critical flaws fixed on the same day since 2014.

SAP’s Security Patch Day updates for August 2019 address three new critical vulnerabilities affecting the company’s products. This is the highest number of critical flaws fixed on the same day since 2014.

SAP has released a total of 12 new patches (Security Notes) that address vulnerabilities in the company’s NetWeaver, Business Client, Commerce Cloud, HANA, ABAP, BusinessObjects, Enable Now, and Gateway products.

Four of the patches have been classified as critical (Hot News), including one that is an update to a Security Note initially released in April 2018 for Business Client and which, to date, has been updated ten times, according to Onapsis, a company that specializes in protecting SAP and Oracle applications.

The other three Hot News patches are for a remote code execution flaw in the NetWeaver UDDI Server (CVE-2019-0351), code injection vulnerabilities in Commerce Cloud (CVE-2019-0344), and a server-side request forgery (SSRF) flaw in the NetWeaver Application Server for Java (CVE-2019-0345).

Onapsis pointed out that CVE-2019-0351 is the vulnerability with the highest CVSS score patched this year, 9.9. The vulnerability is caused by a buffer overflow and it allows an attacker to inject code into working memory.

“Because of the low complexity of this attack scenario in conjunction with the wide range of possible damages (e.g. information disclosure, data manipulation and destruction) up to the complete control of the product, this Note is considered as the most critical one to be released by SAP in 2019,” Onapsis said in a blog post.

The SSRF vulnerability tracked as CVE-2019-0345 was discovered by Onapsis researchers. The company noted that it allows an attacker to gain admin access to the Management Console for SAP Java systems.

“The worst-case scenarios include remote OS execution on the system and stopping SAP system generation, a denial of service (DoS) attack,” Onapsis explained.

Of the remaining vulnerabilities, two have been classified as “high severity.” They include a DoS flaw in SAP HANA and a missing authorization check issue in a SAP kernel package that can lead to information disclosure and data manipulation.

“Considering the number of four HotNews and two High Priority Security Notes and taking into account the wide range of attack vectors exploitable in various SAP platforms, the August Patch Day demonstrates impressively the importance of keeping your systems up to date,” Onapsis said.

According to Onapsis, a total of 23 Security Notes have been released by SAP since the previous Patch Day updates.

SAP August 2019 patches

Related: PoC Exploits for Old SAP Configuration Flaws Increase Risk of Attacks

Related: SAP Patches Critical Flaw in Diagnostics Agent

Related: SAP Patches High Severity Flaws in Crystal Reports, NetWeaver

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.