SAP Security

This page is dedicated to SAP Security issues that go beyond Users, Roles, Segregation of Duties and GRC. We continuously improve this section and ask you to visit often for the latest news or to subscribe to our Newsletter.

SAP Security Advisory

Please find the latest SAP Notes issued for SAP Security related issues. We urge our clients to take the time to read through all the notes upon release and act on the critical issues without delay to ensure that your data is safe.

The Business Application Security Initiative

The Business Application Security Initiative (BIZEC.org) is a non-profit organization that focuses on security defects in business applications. These applications are the responsible for processing and managing the most critical business information and processes, which turns their protection into a key subject for private, governmental and defense organizations around the globe.

To these days, many security professionals believe that ERP security is a synonym of “Segregation of Duties”. While functional security is highly important, there are many other threats which imply higher levels of risk and are not usually properly assessed. The work of BIZEC is centered on risk rather than on technical details. This enables organizations to understand the impact of application security vulnerabilities and prioritize their mitigation accordingly.

The main goals of BIZEC are:

  • Raise awareness, demonstrating that ERP security must be analyzed holistically.
  • Analyze current and future threats affecting these systems.
  • Serve as a unique central point of knowledge and reference in this subject.
  • Provide experienced feedback to global Organizations, helping them to increase the security of their business-critical information.
  • Organize events with the community to share and exchange information.

BIZEC does not endorse or recommend commercial products or services with the objective of remaining as a vendor-independent community and provide the best available information free of commercial bounds and restrictions. Visit the BIZEC website for more information

Latest security vulnerabilities SAP products

Security vulnerability feeds by http://www.cvedetails.com

SAP SAPCAR 721.510 has a Heap Based Buffer Overflow Vulnerability. It could be exploited with a crafted CAR archive file received from an untrusted remote source. The problem is that the length of data written is an arbitrary number found within the file. The vendor response is SAP Security Note 2441560. (CVSS:6.8) (Last Update:2017-05-18)
Posted: May 10, 2017, 12:00 am
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504. (CVSS:6.5) (Last Update:2017-04-21)
Posted: April 14, 2017, 12:00 am
SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote attackers to cause a denial of service (memory consumption) via large values in the width and height parameters to otp_logon_ui_resources/qr, aka SAP Security Note 2389042. (CVSS:5.0) (Last Update:2017-04-25)
Posted: April 14, 2017, 12:00 am
SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL query. The vendor response is SAP Security Note 2361633. (CVSS:10.0) (Last Update:2017-04-20)
Posted: April 13, 2017, 12:00 am
SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, aka SAP Security Note 2170806. (CVSS:7.5) (Last Update:2017-04-20)
Posted: April 13, 2017, 12:00 am
A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator (BWA). The vendor response is SAP Security Note 2419592. (CVSS:7.5) (Last Update:2017-04-17)
Posted: April 11, 2017, 12:00 am
Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service (resource consumption and process crash) by sending a crafted packet several times, aka SAP Security Note 2308778. (CVSS:4.0) (Last Update:2017-04-14)
Posted: April 10, 2017, 12:00 am