Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



SAP Releases August 2018 Security Updates

SAP on Tuesday released its security updates for August 2018. The latest round of updates includes over two dozen patches, but none of them are for critical (hot news) vulnerabilities.

SAP on Tuesday released its security updates for August 2018. The latest round of updates includes over two dozen patches, but none of them are for critical (hot news) vulnerabilities.

The German software giant has provided 27 SAP Security Notes, including 14 Patch Day Notes and 13 Support Package Notes. Seven of the total are updates to previously published patches.

SAP releases security updates for August 2018

Nine of the patches address high severity flaws, including two discovered by researchers at Onapsis, a company that specializes in securing Oracle and SAP applications.

“One [Security Note] fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA,” Onapsis said in a blog post detailing this month’s patches.

“The [SQL injection] issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind SQLi, and the other a regular SQLi blind boolean-based SQLi vulnerability,” the company added. “These SQLi vulnerabilities […] allow an attacker without privileges to get information from the Central Management Server System Database. As described, it is sensitive infrastructure information related to the BusinessObjects Enterprise platform, its structure and configuration.”

ERPScan, another company specializing in securing SAP applications, noted that six of the flaws resolved in the past month are implementation issues, while another six have been described as missing authorization checks.

ERPScan has provided a brief description for three of the most serious vulnerabilities patched by SAP with the August updates. The security holes, all rated “high severity,” include the SQL injection flaws found by Onapsis in BusinessObjects (CVE-2018-2447), a missing authorization check in the SAP SRM MDM Catalog (CVE-2018-2449), and a memory corruption flaw in the BusinessObjects Business Intelligence platform that can lead to arbitrary command execution (CVE-2015-5237).

“An attacker can use [CVE-2018-2449] to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” ERPScan said.

Related: SAP Releases Critical Updates for Two Security Notes

Related: 13 Year-Old Configuration Flaw Impacts Most SAP Deployments

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet