SAP is a complex and ever changing system, whether because of changes introduced to SAP implementation to better suit the business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at the very least.
At Onapsis, we are very concerned about our client’s SAP system security and the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems, and to help guide their testing of these systems within their organization.
On this Patch Day (second Tuesday of each month) SAP published 16 Security Notes (taking into account 2 Support Packages and 14 Patch Day Notes). There were notes published by external security researchers from which, Onapsis Research Labs reported SAP Security Note 2109818 discovered by security researchers Nahuel D. Sánchez and Fernando Russ.
The plot graph illustrates the distribution of CVSS scores across the Security Notes released. The only notes taken into account were the ones for which SAP set a CVSS (12 out of the 16 SAP Security Notes). As it’s represented in the graph, the SAP Security Notes range values go from 3.5 to 7.5 with a median of 5.25.