SAP Security Notes & News

Review and implement critical SAP Security Notes, plan for upcoming SAP Security Patch Days and read critical SAP Security News

SAP Security Notes

SAP Security Notes contain SAP's expert advice regarding important action items and patches to ensure the security of your systems.

SAP Security Notes FAQs

Get your frequently asked questions regarding SAP security patching answered by reviewing our SAP Security Notes FAQs.

Report a Possible Security Vulnerability to SAP

SAP takes all matters relating to your security very seriously, and we are constantly working on improving our product security measures. If you discover a potential security vulnerability in any SAP Software then follow the guidelines here.

Security Spotlight News

Critical authentication-based vulnerability patched in LM Configuration Wizard of SAP NetWeaver AS Java - July 14 2020

On SAP Security Patch Day – 14 July 2020, SAP released a patch to an authentication-based vulnerability rated CVSS 10.0 in LM Configuration Wizard of SAP NetWeaver AS Java. Detailed information for customers is available in the security note 2934135

We strongly advise our customers to apply the security note immediately to protect against potential exploits and to ensure secure configuration of their SAP landscape. Customers can refer to the knowledge base article 2948106 for FAQs on implementation of the security note.  

As the global leader in business software, SAP has based its development processes on a comprehensive security strategy across the enterprise that relies on trainings, tools and processes to enable the delivery of secure products and services.

SAP Security Patch Day

The security maintenance of installed SAP software is key to continuously protect also against new types of attacks or newly identified potential weaknesses.

Based on feedback from customers, partners and SAP user groups, SAP has launched a regular SAP Security Patch Day, scheduled for the second Tuesday of every month — which has been synchronized with the Security Patch Day of other major software vendors.

On these SAP Patch Days, SAP publishes software corrections as SAP Security Notes, focused solely on security to protect against potential weaknesses or attacks. Access SAP Security Notes in the Launchpad, then select All Security Notes, to get the complete list of all SAP Security Notes. We recommend that you implement these corrections at a priority. Several tools are available to help identify, select and implement these corrections.

SAP categorizes SAP Security Notes as Patch Day Security Notes and Support Package Security Notes, with the sole purpose of making you focus on important fixes on patch days and the rest to be implemented automatically during SP upgrades. For details refer to the SAP Security Notes FAQ. Security fixes for SAP NetWeaver based products are also delivered with the support packages.

Starting June 11, 2019, for all new SAP Security Notes with high or very high severity we deliver fix for Support Packages shipped within the last 24 months* for the versions under Mainstream Maintenance and Extended Maintenance. This is extended from the previous Support Package coverage of 18 months. 

Notes with low or medium priority contain corrections in at least the newest support package in all mainstream and extended maintenance releases.

*See the following areas with an exception from the 24 months (starting June 11, 2019) with their general maintenance strategy

Planned Dates for 2021 SAP Security Patch Days

January 12

February 9

March 9

April 13

May 11

June 8

July 13

August 10

September 14

October 12

November 9

December 14