Thomas Fritsch

​​​​​​​Important Patches for IS-OIL, Solution Manager, Web Dispatcher, and ICM

SAP customers often rely only on S_RFC authorizations to protect access to business data via RFC-enabled function modules (RFC FMs). This is risky because, due to the complexity of business scenarios, S_RFC authorizations are often assigned very generically (RFC_NAME = ‘*’ ). Another reason that S_RFC authorizations lack granularity is because in the past S_RFC authorizations could only be restricted on a function group level.

Highlights of May SAP Security Notes analysis include twenty-five new and updated SAP security patches released, including three HotNews Notes and nine High Priority Notes. Several critical vulnerabilities in SAP 3D Visual Enterprise License Manager’s web interface should be paid close attention. This month also marks the fourth time in a row that Onapsis Research Labs has directly contributed to SAP Patch Tuesday.

Critical Vulnerabilities in SAP Diagnostics Agent Poses Risk To All SAP Systems

Critical Vulnerabilities patched in SAP NetWeaver AS ABAP / Java and in SAP BusinessObjects

SAP applications often require the need to restrict access for certain entities to a subset of all instances. In most scenarios, SAP’s authorization concept is sufficient for this purpose. However, there are some disadvantages using SAP authorizations: Developers can eliminate these disadvantages by integrating allowlists into business processes. By assigning an appropriate delivery class to…

SAP Patch Day for February 2023 addresses twenty-six new & updated security patches which include one HotNews Note & five High Priority Notes.

SAP patch day for January 2023 addresses critical vulnerabilities patched for SAP AS ABAP and Java.

Onapsis Research Labs shares some of the top SAP security vulnerabilities organizations should be aware of from 2022.