SAP Security Notes Review: December 2019

SAP’s security patch day for December 2019 has seen the release of 7 SAP security notes with 1 Critical and 6 Medium based on the CVSS v3.0 Rating



Two of the security notes this month relate to SAP Business Objects. In addition to that, there has been one vulnerability found in each of the following products: SAP Business Client, Sybase ASE Database Platform, SAP Enable Now, SAP HANA and SAP ERP HCM.



Critical Vulnerabilities: December 2019 Highlights


Security updates for the browser control Google Chromium delivered with SAP Business Client (SAP Note 2622660)


SAP Business Client installer includes a packed release of Google Chrome (from release 6.5 PL5) that is the current stable version at the time of install.  The note outlines that the version needs to be updated to the latest version to remove the risk of web page exploits.


About this review


On the second Tuesday of each month, SAP release security updates to their software products.  At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers. 


There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.