Connect with us

Hi, what are you looking for?



Serious Vulnerabilities Patched in SAP Products

Enterprise software maker SAP has released patches to address a series of high severity vulnerabilities affecting various products.

Enterprise software maker SAP has released patches to address a series of high severity vulnerabilities affecting various products.

As part of its October 2015 Security Patch Day, SAP released a total of 29 patches and support packages. According to SAP, there are 17 new security notes and four updates to previous notes.

Of these 21 notes, one has been rated critical and 15 have been classified as having high priority. The security updates resolve missing authorization checks, information disclosure issues, cross-site scripting (XSS) flaws, buffer overflows, a missing authentication check, and a SQL injection vulnerability.

The most severe of the patched issues, with a CVSS score of 9.3, are a couple of vulnerabilities affecting the SAP HANA database management system. The flaws were patched by SAP with the release of the 2197428 security note.

One of these bugs, which could lead to remote code execution, was discovered by SAP security solutions provider ERPScan. 

“An attacker can use Remote Command Execution to run commands remotely without authorization, under the privileges of the service that executes them,” ERPScan said in an advisory. “The attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows the attacker to obtain critical technical and business-related information stored in the vulnerable SAP system.”

The second issue patched with the 2197428 note, discovered by SAP security provider Onapsis, is a buffer overflow vulnerability in the SQL interface of SAP Hana Extended Application Services.

Advertisement. Scroll to continue reading.

The list of high priority issues patched by SAP includes an input validation vulnerability affecting the Service Data Control Center (SDCC) Download Function Module, a weakness that can be exploited via the RFC gateway against NetWeaver Search and Classification (TREX) or NetWeaver Business Warehouse Accelerator (BWA), and a remote code execution bug in 3D Visual Enterprise components.

An advisory published by Onapsis also summarizes other high severity issues patched by SAP with the October updates, including information disclosure related to NetWeaver Application Server Java, a log injection flaw affecting the HANA audit log, a directory traversal in a component of ABAP, and a validation failure issue is the Internet Communication Framework.

Missing authorization checks continue to be the most common flaws. A report published last year by ERPScan showed that of the 3,000 vulnerabilities patched by SAP since 2001, roughly 20 percent were in this category.

*Updated to clarify that the 2197428 note patches two different vulnerabilities. An earlier version of the article incorrectly stated that both ERPScan and Onapsis reported the same flaw.

Related: SAP Updates Patch Twenty Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.