Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



SAP Security Updates Patch 4 New Vulnerabilities

Enterprise software maker SAP on Tuesday released a new set of security updates for its products in its SAP Security Patch Day for January 2016.

Enterprise software maker SAP on Tuesday released a new set of security updates for its products in its SAP Security Patch Day for January 2016.

The company has addressed a total of 23 vulnerabilities in SAP products (3 of which are Support Package Security notes), including 13 security flaws that have a high priority rating. As usual, SAP included in the security notes patches that have been delivered before Tuesday, as well as patches for newly discovered vulnerabilities.

Five of the vulnerabilities were cross-site scripting (XSS), making this the most common issue in SAP products. According to the security notes, SAP also patched 4 information disclosure flaws, 2 denial of service vulnerabilities, 2 missing authorization check issues, one mission authentication check issue, and 5 other vulnerabilities.

ERPScan, which specializes in securing SAP and Oracle business software, explains in a blog post that the 3 support package security notes included 2 missing authorization check issues and one Cross-site request forgery (XSRF) vulnerability. 

These include two Log Injection and Denial of service vulnerabilities in SAP HANA Extended Application Services Classic (XS), with a CVSS base score of 5.0; a cross-site scripting vulnerability in SAP RWB, with a CVSS score of 4.3; a cross-site scripting vulnerability in SAP PMI, with a CVSS score of 4.3, and an information disclosure vulnerability in SAP User Management Engine, with a CVSS score of 3.5.

ERPScan also told SecurityWeek that, of the total number of patches released as part of the January 2016 SAP Security Patch Day, only 4 are new, while the rest are updates for existing patches.

10 of the patches included in the new SAP security notes are for JAVA (44 percent of the total), five are for Advanced Business Application Programming, or ABAP (22 percent), 4 are for HANA (17 percent), one for Oracle (4 percent), one for the SAP Client (4 percent), and 2 for other products (9 percent). None of the patches was for vulnerabilities considered “hot news.”

Advertisement. Scroll to continue reading.

The most critical of the patches included in the January 2016 SAP Security Patch Day is for an Implementation flaw vulnerability in SAP on Oracle database that has a CVSS base score of 6.4 and which could cause unpredictable behavior of a system, affecting its stability and safety.

Another noteworthy issue is an OS command execution vulnerability in SAP System Administration Assistant that has a CVSS base score of 6.0 and which could allow an attacker run arbitrary commands on the target OS with the same privileges as the service that executes them. There is also an Encryption issues vulnerability in SAP HANA Database with a CVSS base score of 5.8, which affects the communication encryption feature in SAP HANA multi-tenant database container.

In December 2015, SAP patched 19 new vulnerabilities. In its Patch Day Security Notes for December 2015, the company said three were rated as “hot news” and 16 were classified as high severity. In November, security researcher Ashar Javed revealed a reflected XSS flaw on a website used by SAP to list jobs available within the company and said that a total of around one hundred sites were affected by the issue.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.