SAP admins warned to patch three fixes ‘as soon as possible’

SAP administrators are being warned to deal with new critical vulnerabilities identified this week in the company’s monthly patch updates, which totals 23 security notes.

According to security vendor Onapsis, which protects SAP and Oracle installations, this SAP Security Patch Day has the highest number of critical notes so far this year: Three HotNews and two High Priority Notes, plus one re-released HotNews note.

One of them is for a code injection vulnerability in NetWeaver UDDI Server with Common Vulnerability Scoring System (CVSS) score of 9.9, the most critical of the current year.

The others affect NetWeaver Application Server for Java, and SAP Commerce Cloud (former SAP Hybris Commerce).

“The last time SAP published three HotNews on the same day was in 2014,” said the Onapsis blog, “so it’s important to pay attention to this month’s release and begin applying the fixes as soon as possible.”

The blog says the two fixes affecting SAP Java platforms allow unauthenticated attackers to run remote command executions and potentially disrupt systems operations by shutting it down or collapsing its resources. SAP Java systems usually host web applications that are consumed by users, most probable for regular operations, so a continuity problem can present a severe economic impact in the organization.

The bug in NetWeaver UDDI Server (the one ranked CVSS 9.9) lets attackers take advantage of a buffer overflow vulnerability to inject code into the working memory. The Onapsis blog points out that because of the low complexity of this attack scenario in conjunction with the wide range of possible damages (e.g. information disclosure, data manipulation and destruction, up to the complete control of the product)  it’s considered as the most critical fix one to be released by SAP in 2019. Fortunately, this vulnerability can easily be fixed by applying the corresponding support packages provided with the note (versions from Netweaver 7.10 to 7.50 are affected and have a patch available).

One of the HotNews vulnerabilities is SAP Security Note #2813811, titled “Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for Java” has a CVSS of 9.0, since a potential attacker could access the Management Console for SAP Java systems by stealing user credentials. Unauthenticated users gaining access as administrators of the Management Console could lead to total disruptions of the JAVA Web Portals as well as data access (espionage, leaks) or data modification.

“Considering the number of four HotNews and two High Priority Security Notes and taking into account the wide range of attack vectors exploitable in various SAP platforms, the August Patch Day demonstrates impressively the importance of keeping your systems up to date,” says the blog.




Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now