SAP Security

This page is dedicated to SAP Security issues that go beyond Users, Roles, Segregation of Duties and GRC. We continuously improve this section and ask you to visit often for the latest news or to subscribe to our Newsletter.

SAP Security Advisory

Please find the latest SAP Notes issued for SAP Security related issues. We urge our clients to take the time to read through all the notes upon release and act on the critical issues without delay to ensure that your data is safe.

The Business Application Security Initiative

The Business Application Security Initiative (BIZEC.org) is a non-profit organization that focuses on security defects in business applications. These applications are the responsible for processing and managing the most critical business information and processes, which turns their protection into a key subject for private, governmental and defense organizations around the globe.

To these days, many security professionals believe that ERP security is a synonym of “Segregation of Duties”. While functional security is highly important, there are many other threats which imply higher levels of risk and are not usually properly assessed. The work of BIZEC is centered on risk rather than on technical details. This enables organizations to understand the impact of application security vulnerabilities and prioritize their mitigation accordingly.

The main goals of BIZEC are:

  • Raise awareness, demonstrating that ERP security must be analyzed holistically.
  • Analyze current and future threats affecting these systems.
  • Serve as a unique central point of knowledge and reference in this subject.
  • Provide experienced feedback to global Organizations, helping them to increase the security of their business-critical information.
  • Organize events with the community to share and exchange information.

BIZEC does not endorse or recommend commercial products or services with the objective of remaining as a vendor-independent community and provide the best available information free of commercial bounds and restrictions. Visit the BIZEC website for more information

Latest security vulnerabilities SAP products

Security vulnerability feeds by http://www.cvedetails.com

The SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, has several denial-of-service vulnerabilities that allow an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. (CVSS:5.0) (Last Update:2018-09-08)
Posted: July 10, 2018, 12:00 am
Under certain circumstances SAP Dynamic Authorization Management (DAM) by NextLabs (Java Policy Controller versions 7.7 and 8.5) exposes sensitive information in the application logs. (CVSS:2.1) (Last Update:2018-09-06)
Posted: July 10, 2018, 12:00 am
Executing transaction WRCK in SAP R/3 Enterprise Retail (EHP6) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. (CVSS:6.5) (Last Update:2018-09-07)
Posted: July 10, 2018, 12:00 am
The SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, has insufficient request validation (for example, where the request is validated for authenticity and validity) and under certain conditions, will process invalid requests. Several areas of the SAP Internet Graphics Server (IGS) did not require sufficient input validation. Namely, the SAP Internet Graphics Server (IGS) HTTP and RFC listener, SAP Internet Graphics Server (IGS) portwatcher when registering a portwatcher to the multiplexer and the SAP Internet Graphics Server (IGS) multiplexer had insufficient input validation and thus allowing a malformed data packet to cause a crash. (CVSS:4.3) (Last Update:2018-09-12)
Posted: July 10, 2018, 12:00 am
The SAP Internet Graphics Service (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to externally trigger IGS command executions which can lead to: disclosure of information and malicious file insertion or modification. (CVSS:6.4) (Last Update:2018-09-08)
Posted: July 10, 2018, 12:00 am
SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. (CVSS:4.3) (Last Update:2018-09-05)
Posted: July 10, 2018, 12:00 am
SAP Gateway (SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.53) allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. (CVSS:5.0) (Last Update:2018-09-11)
Posted: July 10, 2018, 12:00 am