Addressing Security Vulnerabilities in SAP Software
This article covers some frequently asked questions on how SAP address vulnerabilities in their software, and the best practices for customers to ensure their systems are secure.
How do SAP address security vulnerabilities?
SAP have adopted a monthly patch day to release a batch of SAP security notes that address urgent security vulnerabilities across all of their products. The patch day is on the second Tuesday of every month.
Customers, or their SAP support partners, should review the SAP Security Notes that released each month for relevant to specific systems, assess the specific risk for each note, and apply the fixes as required in a timely fashion after the patch day.
Security issues that are resolved by a support package are also released each month as SAP Notes, but the fixes are applied in the next support package application and not immediately on release of the note itself.
Very urgent, so called zero day vulnerabilities, are occasionally released outside of the regular patch day or support packages for immediate consideration and implementation. These are issued as Hot News by SAP where a vulnerability is found that could be, or has been, exploited in the wild with significant impact and should be fixed immediately.
Upcoming Security Patch Dates:
What are CVE numbers?
Most security vulnerabilities fixed by SAP in a patch day note are issued with a Common Vulnerabilities and Exposures (CVE) number. A CVE numbers refers to a publicly known vulnerability, and takes the format of CVE-Year-Number, for example CVE-2014-0160 refers to the famous heartbleed vulnerability.
The CVE programme is administered by MITRE, but they have designated SAP as a CVE Number Authority (CNA) meaning SAP issue a CVE number for vulnerabilities that are reported to them.
What do the CVSS v3 Ratings mean?
The Common Vulnerability Scoring System (CVSS) is an open and cross-vendor framework for describing the characteristics and severity of a software vulnerability.
The CVSS v3 base score between 0 and 10 provides an indication of the severity of the vulnerability.
The CVSS v3 base vector gives a more detailed breakdown on the characteristics of the vulnerability, including how it can be exploited and the impact it has. The scope tracks whether the vulnerability can affect resources beyond the authorisation authority (changed scope, such as escaping a virtual machine) or only within one authority (unchanged scope).
SAP provides the CVSS rating of both base score and base metric for all vulnerabilities that are fixed by patch day notes, which can be used by customers to prioritise and understand a particular vulnerability.
How can I report a vulnerability to SAP?
If you find a security vulnerability as an SAP customer, your first port of call should be to log an incident with SAP to report it. If you are an Absoft VAR customer, you should log an incident with Absoft.
SAP ask third parties and security researchers to contact firstname.lastname@example.org, with PGP email encryption. You should take care to follow SAP’s current disclosure guidelines and check for the latest information to report a vulnerability.
How does Absoft handle security vulnerabilities?
Absoft review security notes on a monthly basis for our managed service customers, with bespoke recommendations provided where an issue is relevant to a specific SAP landscape.
Starting from January 2019, we will also be publishing a monthly digest with a summary of SAP security vulnerabilities that were addressed by SAP that month.
Note that we will never share any details on any vulnerabilities reported in security notes to the general public, to comply with disclosure guidelines, and to ensure that we do not provide information to attackers before customers have had a chance to patch.