SAP Security Notes Review: May 2019

SAP’s security patch day for May 2019 has seen the release of 11 SAP security notes covering 11 vulnerabilities, with only one High and no critical CVSS v3.0 Rating.  



Three security notes in May 2019 refer to the NetWeaver AS Java. Two have been released for NetWeaver AS ABAP & S/4 HANA. In addition to that, another two have been released for SAP Business Objects and solution tools. The others are spread across a range of products including SAP Identity Management and CRM.


Critical and High Vulnerabilities: May 2019 Highlights


SAP Identity Management

One high rated vulnerability has been identified and corrected in SAP Identity Management REST Interface Version 2.

This sap note SAP Note 2784307 fixes a programming error for systems which are using SAP Identity Management 8.0 SP06.


Other Vulnerabilities


There are further vulnerabilities affecting SAP NetWeaver AS ABAP which will affect a broad range of customers using almost any current ABAP based SAP product – these cover a broad range of SAP Kernels and a common software component. Probably worth checking these for your organisation!


About this review


On the second Tuesday of each month, SAP release security updates to their software products.  At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers. 


There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.