SAP Security Notes Review: March 2019

SAP’s security patch day for March 2019 has seen the release of 12 SAP security notes covering 12 vulnerabilities, with one Critical and two High CVSS v3.0 Rating.

 

 

Two security notes in March 2019 refer to BusinessObjects products, four in NetWeaver AS ABAP.  The others are spread across products, with one of each affecting HANA XS, SAP Plant Connectivity, SAP Mobile Platform SDK, SAP Work Manager and SAP Inventory Manager, NetWeaver AS Java, and SAP Business Client.

 

Critical and High Vulnerabilities: February 2019 Highlights

 

SAP NetWeaver AS Java

The one likely to affect the most customers with a Java stack is SAP Note 2689925  which fixes CVE-2019-0265 relating to a cross-site scripting (XSS) vulnerability in a Java demo application, and requires a patch to the specific Java software component to fix. 

 

SAP HANA XS

One high rated vulnerability has been identified and corrected in SAP HANA XS this month.  SAP Note 2764283  fixes CVE-2019-0277 which allows developers privileged access into the SAP space which they should not be authorised.  SAP HANA XS is deployed with SAP HANA and is the ‘Classic’ development environment – it is been superseded by SAP HANA XS Advanced.

SAP Business Client

One critically rated vulnerability has been identified with some versions of SAP Business Client 6.5.  (SAP Note 2622660). This has occurred because of vulnerabilities discovered in Chromium, which is used as the embedded browser control used by SAP Business Client.

 

Other Vulnerabilities

There are notably four vulnerabilities affecting SAP NetWeaver AS ABAP which will affect a broad range of customers using almost any current ABAP based SAP product – these cover a broad range of SAP Kernels and a common software component.  Probably worth checking these for your organisation!

 

About this review

On the second Tuesday of each month, SAP release security updates to their software products.  At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers. 

 

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.