SAP Security Notes Review: February 2019

SAP’s security patch day for February 2019 has seen the release of 15 SAP security notes covering 16 vulnerabilities, with one Critical and five High CVSS v3.0 Rating.  

 

 

Two security notes in February 2019 refer to BusinessObjects products, two in Disclosure Management, four in NetWeaver AS ABAP, and four vulnerabilities affecting HANA XS Advanced.  The others are spread across products, with one of each affecting SAP Business One, SAP MIII Illuminator and SAP Solution Tools Plug In.    

 

 

Critical and High Vulnerabilities: February 2019 Highlights

 

SAP NetWeaver AS ABAP

There are notably four vulnerabilities affecting SAP NetWeaver AS ABAP which will affect a broad range of customers using almost any current ABAP based SAP product. 

The one likely to affect the most customers is SAP Note 2729710 which fixes CVE-2019-0265 relating to XML validation issues when sending data to an SLD, and requires a kernel patch to fix. 

 

SAP HANA XS Advanced

Four vulnerabilities have been fixed in SAP HANA XS Advanced this month, including the only critical vulnerability of the month. SAP Note 2742027 fixes CVE-2019-0261 which is an authorisation check problem relating to SAP HANA XS Advanced.  It should be noted that SAP HANA XS Advanced is separate to the traditional SAP HANA XS, and is generally installed separately with SAP HANA. 

 

About this review

On the second Tuesday of each month, SAP release security updates to their software products.  At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers. 

 

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in my article on addressing security vulnerabilities in SAP software