SAP Security Notes Review: April 2019

SAP’s security patch day for April 2019 has seen the release of 8 SAP security notes covering 8 vulnerabilities, with one Critical and one High CVSS v3.0 Rating.  


Three security notes in April 2019 refer to PI products and two have been released for NetWeaver AS ABAP.  The others are spread across a range of products including SAP HANA, SAP Crystal Reports and SAP Business Client.



Critical and High Vulnerabilities: April 2019 Highlights



One high rated vulnerability has been identified and corrected in SAP PI this month.  SAP Note 2747683 addresses this issue which is related to Digital Signatures in the PI Adapter Engine.  There are also a few other notes released this month for SAP PI, notably SAP Note 2742758 and SAP Note 2741201.


SAP NetWeaver and ABAP Platform

One medium rated vulnerability has been identified which affects SAP NetWeaver. This note was previously released but has been updated this month to include Java Server. SAP Note 2729710  addresses an issue with the SLD registration process.


SAP Business Client

One critically rated vulnerability has been identified with some versions of SAP Business Client 6.5.  SAP Note 2622660  This has occurred because of vulnerabilities discovered in Chromium, which is used as the embedded browser control used by SAP Business Client.


Other Vulnerabilities

There are further vulnerabilities affecting SAP NetWeaver AS ABAP which will affect a broad range of customers using almost any current ABAP based SAP product – these cover a broad range of SAP Kernels and a common software component.  Probably worth checking these for your organisation!



About this review


On the second Tuesday of each month, SAP release security updates to their software products.  At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers. 


There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.