​The main insights from latest SAP Security patch day

As you know, the second Tuesday of every month is known among the cybersecurity community as a Patch Tuesday. Microsoft initially introduced this tradition in 2013 as a means of planning for installing patches on the regular basis. SAP’s Security Patch Day coincides with Patch Tuesday in order to install all required fixes in the scheduled day. On the SAP Security day, the vendor releases a set of internal advisories containing instructions, patches, or both.

The idea behind this article is to provide you with the insight into the latest set of SAP Security Notes. While patching process is difficult and laborious, the main takeaways are as easy as one-two-three.

1. SAP releases a record-number of closed issues per month.

The patch update for October consists of 48 SAP Security Notes.

According to the latest SAP Cyber Security in Figures report, in 2011, the approximate number of monthly SAP Security Notes was equal to 61. In 2012, it decreased to 53 notes, and in 2013 it amounted to 30 notes a month. The average number remained almost the same in 2014 (32) and fell slightly in 2015 (25) and in 2016 (22). It means, that this patch update is twice bigger than the average and among the biggest set of fixes since 2012.

Nonetheless, all the closed issues are not so critical - 3 of them were rated high priority and the remaining were rated medium priority, while the vulnerabilities, which should be patched as soon as possible, assessed with hot news rating.

2. The majority of the patches ( SAP Security notes) fixes implementation flaws.

The majority of the issues closed this month are implementation flaws. They are titled “Switchable authorization checks” and new switchable authorization check options. They are meant to improve “RFC security for CRM Solutions.”

By default, they are inactive to ensure compatibility with processes. For instance, in case this check comes activated, some employees will not be able to perform their daily job, as the access to documentation or functionality is restricted. It can lead to business processes stoppage.

Implementing these patches is likely to require a lot of manual work from SAP admins. SAP customers should assign the authorization rights to the corresponding users in accordance with corporate policies.

3. One of the vulnerabilities (Authentication bypass in SAP P4) potentially threatened SAP customers since 2013.

A Missing Authentication check vulnerability in SAP NetWeaver AS JAVA P4 Server core component (CVSS Base Score: 7.3) allows an attacker to read sensitive information, access to which should be restricted.

The vulnerable component – SAP P4 - provides a remote control of SAP’s JAVA platform, for example, all SAP Portal systems. Although, this service shouldn't be available on internet, in practice it's not always the case as our internet survey shows.

To correct this issue, address SAP Security Note 2331908.

The story of discovering this vulnerability is rather curious. First, this issue was discovered by other security company, and SAP released the fix in 2012. Based on the SAP Security Note, we wrote a special script to exploit this vulnerability during penetration testing. It usually worked, which made us come to conclusion SAP customers simply didn't implement the appropriate patch. But once the client claimed that the patch is installed.

The investigation revealed that the bug still affects the latest versions of P4. For example, the service pack 09 for the version 7.2 which is vulnerable, was released in 2013. It means that potentially the mission-critical service stayed unpatched for at least 3 years, i.e. 256 systems (possibly this number was higher in last 3 years) could be compromised. In March, we sent this issue to the vendor and now it's finally fixed.

SAP customers as well as companies providing SAP Security Audit or SAP Penetration Testing services should be well-informed about the latest SAP Security news, don’t miss the next month’s SAP Security Notes analysis.

More details can be found here.

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiescybersecurityJava platformSecurity Patch DaySAP AustraliaMicrosoftjavaPatch Tuesday Microsoft

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Alexander Polyakov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts