Thomas Fritsch

SAP’s April Patch Tuesday requires special attention. The Spring4Shell vulnerability, CVE-2022-22965, was recently detected and has been successfully exploited, as noted by researchers. Onapsis Research Labs contributed to a serious vulnerability in SAP MII that could lead to a full compromise of the server in patching hosting the application.

SAP has published 17 new and updated Security Notes on its March Patch Day. The most critical patch is for SAP Focused Run, with a CVSS 9.3 vulnerability which can lead to full compromise of the affected systems.

SAP’s February Patch Tuesday brings new extremely critical vulnerabilities in all SAP applications that are based on SAP NetWeaver. SAP, CISA, and Onapsis strongly advise all impacted organizations to prioritize patching these affected systems as soon as possible.

SAP has published 35 new and updated Security Notes on its January Patch Day, demonstrating the serious impact of Log4j vulnerability on SAP security.

With 21 new and updated notes, including four HotNews Notes (with two of them being new) and six new and updated High Priority Notes, the last SAP Patch Tuesday in 2021 is slightly above this year’s average.

SAP’s November Patch Day contained 11 notes in total with only three new notes above CVSS 7.0, a record low number for the year. Nevertheless, the lower-rated notes should not be left unaddressed as some of these vulnerabilities can be used to launch follow-up attacks, e.g., through impersonation of users or exploiting transport permissions.

SAP has released 17 new and updated SAP Security Notes on its October 2021 patch release. Read on for Onapsis’s analysis.

SAP has published 21 new and updated Security Notes on its September Patch Day. Onapsis Research Labs contributed in fixing five vulnerabilities covered by three SAP Security Notes.

With nine critical patches in total, SAP customers are facing the most noteworthy SAP Patch Day this year.