Thomas Fritsch

Additional SAP BTP Applications affected by critical Privilege Escalation Vulnerability reported in December 2023

Important Patch for SAP BTP Security Services Integration Libraries

Very Calm Patchday with Critical Patch for SAP Business One

Code security tools have to process a data flow analysis to identify vulnerabilities like SQL Injection, OS Command Injection, Code Injection, and Directory Traversal. The Market leading solution, Onapsis C4CA and other tools in the market follow different approaches with regard to this data flow analysis and the resulting finding management. While some tools only start a local data flow analysis, C4CA optionally executes a global data flow analysis.

SAP’s October Patch Day was extremely calm. The only Hot News Note is an update of SAP Security Note #2622660 which provides regular patches for SAP Business Client, including the latest tested Chromium patches. The rest of the published SAP Security Notes are of Medium Priority.

Critical Patches for SAP BusinessObjects and SAP CommonCryptoLib released

New HotNews Note for SAP PowerDesigner and Important Update on July HotNews Note

​​​​​​​Important Patches for IS-OIL, Solution Manager, Web Dispatcher, and ICM

SAP customers often rely only on S_RFC authorizations to protect access to business data via RFC-enabled function modules (RFC FMs). This is risky because, due to the complexity of business scenarios, S_RFC authorizations are often assigned very generically (RFC_NAME = ‘*’ ). Another reason that S_RFC authorizations lack granularity is because in the past S_RFC authorizations could only be restricted on a function group level.