SAP Security Notes February 2017

On 14 of February 2017, SAP released its monthly set of SAP Security Notes consisting of 22 patches.

To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security notes. This analysis would also be useful for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing .

SAP Security Notes February 2017 in review

February’s batch of security patches includes 15 SAP Security Patch Day Notes and 7 Support Package Notes. 4 Notes are updates to previously released Security Notes.

7 of the patches were rated High risk, the remaining 15 were assessed Medium priority. The highest CVSS score of the vulnerabilities is 8.5.

SAP Security Notes Distribution by priority

Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.

SAP Security Notes Distribution by stack

The most common vulnerability type is Missing Authorization Check.

SAP Security Notes Distribution by vulnerability type

Priority vs. Application type distribution

The fact that SAP Systems are complex is a common place. However, when it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table showing a distribution between priority and application area.

Hot News High Medium Low
Basis Components 2392860
Cross-Application Components 2391018
HANA 2407694
Enterprise Portal 2326291
SAP Business Information Warehouse 2386873
Governance, Risk and Compliance 2413716
Business intelligence solutions 2292351
Sales and Distribution 2355398
Customer Relationship Management 2347077

The most critical issues closed by SAP Security Notes February 2017

The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2408892: SAP Netweaver Data Orchestration has a Missing Authorization Check vulnerability (CVSS Base Score: 8.5). An attacker can use a Missing authorization check vulnerability to access the service without authorization and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2413716: SAP GRC Access Control EAM has an Implementation flaw vulnerability (CVSS Base Score: 8.2). An implementation flaw can cause unpredictable behaviour of the system, troubles with stability and safety. Install this SAP Security Note to prevent the risks.
  • 2391018: SAP 3D Visual Enterprise Author, Generator and Viewer has a Memory Corruption vulnerability (CVSS Base Score: 8). An attacker can use a Buffer overflow vulnerability to inject a specially crafted code into a working memory that will be executed by the vulnerable application. Executed commands will run with the same privileges as the service that executed the command. This can lead to taking complete control of the application, denial of service, command execution, and other attacks. Install this SAP Security Note to prevent the risks.
  • Multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3). Update is available in SAP Security Note 2407694. An attacker can use a Denial of service vulnerability to crash a process of the vulnerable component. For this time, nobody would be able to use this service, which negatively influences business processes, system downtime, and, as a result, business reputation.
    More about these SAP HANA vulnerabilities
    More about SAP HANA Patching Process

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Do you want more?

Subscribe me to your mailing list