SAP Security Notes Review: March 2019
SAP’s security patch day for March 2019 has seen the release of 12 SAP security notes covering 12 vulnerabilities, with one Critical and two High CVSS v3.0 Rating.
Two security notes in March 2019 refer to BusinessObjects products, four in NetWeaver AS ABAP. The others are spread across products, with one of each affecting HANA XS, SAP Plant Connectivity, SAP Mobile Platform SDK, SAP Work Manager and SAP Inventory Manager, NetWeaver AS Java, and SAP Business Client.
Critical and High Vulnerabilities: February 2019 Highlights
SAP NetWeaver AS Java
The one likely to affect the most customers with a Java stack is SAP Note 2689925 which fixes CVE-2019-0265 relating to a cross-site scripting (XSS) vulnerability in a Java demo application, and requires a patch to the specific Java software component to fix.
SAP HANA XS
One high rated vulnerability has been identified and corrected in SAP HANA XS this month. SAP Note 2764283 fixes CVE-2019-0277 which allows developers privileged access into the SAP space which they should not be authorised. SAP HANA XS is deployed with SAP HANA and is the ‘Classic’ development environment – it is been superseded by SAP HANA XS Advanced.
SAP Business Client
One critically rated vulnerability has been identified with some versions of SAP Business Client 6.5. (SAP Note 2622660). This has occurred because of vulnerabilities discovered in Chromium, which is used as the embedded browser control used by SAP Business Client.
There are notably four vulnerabilities affecting SAP NetWeaver AS ABAP which will affect a broad range of customers using almost any current ABAP based SAP product – these cover a broad range of SAP Kernels and a common software component. Probably worth checking these for your organisation!
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.