Security Experts:

Connect with us

Hi, what are you looking for?



SAP Releases ‘Hot News’ Security Notes on First Patch Day of 2019

SAP released its first Security Patch Day for 2019 this week, which includes a total of 11 Security Notes, two of which are rated as Hot News. 

SAP released its first Security Patch Day for 2019 this week, which includes a total of 11 Security Notes, two of which are rated as Hot News. 

The most important of the Security Notes addresses vulnerabilities in SAP Cloud Connector. Tracked as CVE-2019-0246 and CVE-2019-0247, the bugs both have a CVSS score of 9.3. 

This is the second Security Note that SAP publishes for the platform, and is the first to feature a Critical severity rating (the only other note for Cloud Connector was published in April 2018 with a Medium severity rating), Onapsis, a firm that specializes in securing Oracle and SAP applications, points out

An attacker exploiting the vulnerability could gain access to service and read, modify or delete information, while also being able to access administrative or privileged functionalities, ERPScan, another company that secures Oracle and SAP products, explains

“The attacker can also use an OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with same privileges of the service that executed a command. The hacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files,” ERPScan says.

The second Hot News Security Note published by SAP this week addresses an information disclosure issue in Landscape Management. Tracked as CVE-2019-0249, the vulnerability carries a CVSS score of 9.1. 

An attacker could abuse the information disclosure flaw to reveal additional information such as system data, debugging information, and the like, which could then be abused to explore the system and plan other attacks, ERPScan points out. 

SAP’s January 2019 patches also include one High severity Security Note. Tracked as CVE-2019-0243 and featuring a CVSS score of 7.1, the vulnerability is a Missing Authorization check that impacts SAP BW/4HANA. 

All of the remaining Security Notes address Medium risk vulnerabilities such as Information Disclosure, Cross-Site Scripting, Denial of Service, and Missing Authorization check. 

Impacted SAP products include Financial Consolidation Cube Designer, Commerce, Work Manager, CRM WebClient UI, Business Objects, Gateway of ABAP Application Server, and Enterprise Financial Services.

The new set of SAP patches also includes 7 Support Package Notes, for a total of 18 Security Notes. One of the patches is an update to a previously release note. 

Cross-Site Scripting was the most encountered vulnerability type, followed by Implementation Flaw and Information Disclosure. The remaining bugs were Missing Authorization Check issues, Denial of Service vulnerabilities, and one OS Command Execution flaw. 

Related: SAP Patches Critical Vulnerability in Hybris Commerce

Related: SAP Patches Critical Vulnerability in HANA Streaming Analytics

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet