SAP Security Notes & News

Review and implement critical SAP Security Notes, plan for upcoming SAP Security Patch Days and read critical SAP Security News

SAP Security Notes

SAP Security Notes contain SAP's expert advice regarding important action items and patches to ensure the security of your systems.

SAP Security Notes FAQs

Get your frequently asked questions regarding SAP security patching answered by reviewing our SAP Security Notes FAQs.

Report a Possible Security Vulnerability to SAP

SAP takes all matters relating to your security very seriously, and we are constantly working on improving our product security measures. If you discover a potential security vulnerability in any SAP Software then follow the guidelines here.

Security Spotlight News

Critical authentication-based vulnerabilities fixed on SAP Solution Manager - March 10, 2020

On SAP Security Patch Day – March 2020, we fixed two authentication-based vulnerabilities (CVSS 9.8 and 10.0) on SAP Solution Manager. Detailed information for customers is available in the security notes - 2890213 and 2845377

Applying these security notes will protect the customer against potential exploits of the vulnerabilities, hence we would like to strongly advise our customers to apply the security notes immediately and ensure secure configuration of their SAP landscape.

SAP stands for secure and reliable software solutions. As the global leader in business software, SAP has based its development processes on a comprehensive security strategy (“Prevent – Detect – React”) across the enterprise that relies on trainings, tools and processes to enable the delivery of secure products and services.

 

Remote code execution vulnerability fixed on SAP Business Objects Business Intelligence Platform - March 10, 2020

On SAP Security Patch Day - March 2020, we fixed a remote code execution vulnerability (CVSS 8.2) on SAP Business Objects Business Intelligence Platform (Crystal Reports). Detailed information for Customers is available in the security note - 2861301.

Applying this security note will protect the customer against potential exploits of the vulnerability, hence we would like to strongly advise our customers to apply the security note immediately and ensure secure configuration of their SAP landscape.

SAP stands for secure and reliable software solutions. As the global leader in business software, SAP has based its development processes on a comprehensive security strategy (“Prevent – Detect – React”) across the enterprise that relies on trainings, tools and processes to enable the delivery of secure products and services.

SAP Security Patch Day

The security maintenance of installed SAP software is key to continuously protect also against new types of attacks or newly identified potential weaknesses.

Based on feedback from customers, partners and SAP user groups, SAP has launched a regular SAP Security Patch Day, scheduled for the second Tuesday of every month — which has been synchronized with the Security Patch Day of other major software vendors.

On these SAP Patch Days, SAP publishes software corrections as SAP Security Notes, focused solely on security to protect against potential weaknesses or attacks. Access SAP Security Notes in the Launchpad, then select All Security Notes, to get the complete list of all SAP Security Notes. We recommend that you implement these corrections at a priority. Several tools are available to help identify, select and implement these corrections.

SAP categorizes SAP Security Notes as Patch Day Security Notes and Support Package Security Notes, with the sole purpose of making you focus on important fixes on patch days and the rest to be implemented automatically during SP upgrades. For details refer to the SAP Security Notes FAQ. Security fixes for SAP NetWeaver based products are also delivered with the support packages.

Starting June 11, 2019, for all new SAP Security Notes with high or very high priority we deliver fix for Support Packages shipped within the last 24 months*. This is extended from the previous Support Package coverage of 18 months. 

Notes with low or medium priority contain corrections in at least the newest support package in all mainstream and extended maintenance releases.

*See the following areas with an exception from the 24 months (starting June 11, 2019) with their general maintenance strategy

Planned Dates for 2020 SAP Security Patch Days

January 14

February 11

March 10

April 14

May 12

June 9

July 14

August 11

September 8

October 13

November 10

December 8