SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis at least.
At Onapsis we are very concerned about not only our client’s SAP systems security but the state of SAP security in general, so, to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this effort is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.
37 Security Notes were published by SAP this month (29 Patch Day and 8 Support Package Notes).
The box-plot graph, located on the left side, illustrates the distribution of CVSS scores across the Security Notes released by SAP.
The CVSS Score median is near 6.0 with three notes exceeding the CVSS scoring of 8.0 (their values are 8.5, 8.7 and 8.8). Regardless of the criticality of each note, at Onapsis Research Laboratory we have analyzed the technical impact of all the published notes.