Analyzing SAP Security Notes August 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about not only our client’s SAP systems security but the state of SAP security in general, so, to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this effort is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

37 Security Notes were published by SAP this month (29 Patch Day and 8 Support Package Notes).

 

The box-plot graph, located on the left side, illustrates the distribution of CVSS scores across the Security Notes released by SAP.
The CVSS Score median is near 6.0 with three notes exceeding the CVSS scoring of 8.0 (their values are 8.5, 8.7 and 8.8). Regardless of the criticality of each note, at Onapsis Research Laboratory we have analyzed the technical impact of all the published notes.

Hot News
The note 2044175 was released as hot news. This Security Note fixes certain authentication controls for APIs of the Afaria Server that don’t authenticate incoming devices properly.
Share Button

Analyzing SAP Security Notes July 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP systems’ security but the state of SAP security in general, so, to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this effort is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization. Continue reading

Share Button

Analyzing SAP Security Notes June 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to  your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 21 SAP Security Notes were published by SAP (3 Support Packages and 18 Patch Day Notes). Of the ten notes reported by external researchers, Onapsis Research Labs reported six (from those notes, the 2001106 involved a remote unauthenticated Denial of Service which affects SAP Business Objects, and 2015446 a Code Injection vulnerability in SAP HANA Web Development Workbench, both discovered by Will Vandevanter). Continue reading

Share Button

Analyzing SAP Security Notes April 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 23 Security Notes were published by SAP (taking into account the 5 Support Package Notes and the 18 Patch Day Notes). Onapsis Research Labs reported 4 of the 18  Patch Day Notes:CVSS distribution for the Security Notes released in April 2014

  • 1778940 by Nahuel D. Sánchez
  • 1974016 by Nahuel D. Sánchez
  • 1993349 by Will Vandevanter
  • 1929473 by Sergio Abraham

We have generated a plot graph illustrating the distribution of CVSS scores across the Security Notes released in April. 15 out of the 23 SAP Security Notes were assigned a CVSS number by SAP. As you may observe in the graph, the SAP Security Notes this month have a range of values from 2.6 to 6.0 with a median of 4.9.

Continue reading

Share Button

Analyzing SAP Security Notes March 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of  every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended
to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP system security but the state of SAP security in general, so to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and
vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 9 Security Notes were published by SAP. Onapsis Research Labs reported 2 of the issues that have been addressed by SAP:

  • 1963932 by Sergio Abraham and Manuel Muradas
  • 1964428 by Sergio Abraham

Continue reading

Share Button