Over a million developers have joined DZone.

SAP Security Notes February 2017

DZone's Guide to

SAP Security Notes February 2017

Now that we've had some time to unpack it all, lets take a closer look at some notes from the SAP Security update from last month.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

On 14 of February 2017, SAP released its monthly set of SAP Security Notes consisting of 22 patches.

To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security notes. This analysis would also be useful for companies providing SAP Vulnerability AssessmentSAP Security Audit, or SAP Penetration Testing.

SAP Security Notes February 2017 in review

February’s batch of security patches includes 15 SAP Security Patch Day Notes and 7 Support Package Notes. 4 Notes are updates to previously released Security Notes.

7 of the patches were rated High risk, the remaining 15 were assessed Medium priority. The highest CVSS score of the vulnerabilities is 8.5.

Most of the vulnerabilities, however, belong to the SAP NetWeaver ABAP platform.

The most common vulnerability type is Missing Authorization Check.

Priority vs. Application Type Distribution

The fact that SAP Systems are complex is a common place. However, when it comes to SAP patching, one should take it into account. To simplify this process, the ERPScan research team created a table showing a distribution between priority and application area.

Hot News High Medium Low
Basis Components 2392860
Cross-Application Components 2391018
HANA 2407694
Enterprise Portal 2326291
SAP Business Information Warehouse 2386873
Governance, Risk and Compliance 2413716
Business intelligence solutions 2292351
Sales and Distribution 2355398
Customer Relationship Management 2347077

The Most Critical Issues Closed by SAP Security Notes February 2017

The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2408892: SAP Netweaver Data Orchestration has a Missing Authorization Check vulnerability (CVSS Base Score: 8.5). An attacker can use a Missing authorization check vulnerability to access the service without authorization and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2413716: SAP GRC Access Control EAM has an Implementation flaw vulnerability (CVSS Base Score: 8.2). An implementation flaw can cause unpredictable behavior of the system, troubles with stability, and safety. Install this SAP Security Note to prevent the risks.
  • 2391018: SAP 3D Visual Enterprise Author, Generator, and Viewer have a Memory Corruption vulnerability (CVSS Base Score: 8). An attacker can use a Buffer overflow vulnerability to inject a specially crafted code into a working memory that will be executed by the vulnerable application. Executed commands will run with the same privileges as the service that executed the command. This can lead to taking complete control of the application, denial of service, command execution, and other attacks. Install this SAP Security Note to prevent the risks.
  • Multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3). The update is available in SAP Security Note 2407694. An attacker can use a Denial of service vulnerability to crash a process of the vulnerable component. For this time, nobody would be able to use this service, which negatively influences business processes, system downtime, and, as a result, business reputation.More about these SAP HANA vulnerabilities

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,sap hana ,vulnerability

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}