SAP Security Notes Review: January 2019
SAP’s security patch day for January 2019 has seen the release of 12 SAP security notes covering 13 vulnerabilities, with two Critical and one High CVSS v3.0 Rating.
Two security notes in January 2019 refer to BusinessObjects products, two in CRM, and there are two vulnerabilities affecting SAP Cloud Connector. The others are spread across products, with one of each affecting SAP Landscape Management, the Mobile Platform SDK, BW/4HANA, NetWeaver Gateway, SAP Hybris and S4/HANA.
Critical Vulnerabilities: January 2019 Highlights
SAP Cloud Connector
SAP Note 2696233 fixes CVE-2019-0246 which relates to missing authentication checks in the SAP Cloud Connector. The SAP Cloud Connector allows cloud services to securely access on-premises systems and resources, for example to access ERP data from a SAP cloud service. A missing authentication check may allow a user to perform an operation that they should not be able to perform. The solution is to upgrade to version 2.11.3 of SAP Cloud Connector, which is currently the latest version available for download.
SAP Landscape Management
SAP Note 2727624 fixes CVE-2019-0249 corrects an information exposure vulnerability in SAP Landscape Management during deployment of SAP HANA databases. To correct the issue there is a SAP Landscape Management patch available, and manual steps to follow in the SAP Note.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in my article on addressing security vulnerabilities in SAP software.