SAP Security Notes & News

Review and implement critical SAP Security Notes, plan for upcoming SAP Security Patch Days and read critical SAP Security News

SAP Security Notes

SAP Security Notes contain SAP's expert advice regarding important action items and patches to ensure the security of your systems.

SAP Security Notes FAQs

Get your frequently asked questions regarding SAP security patching answered by reviewing our SAP Security Notes FAQs.

Report a Possible Security Vulnerability to SAP

SAP takes all matters relating to your security very seriously, and we are constantly working on improving our product security measures. If you discover a potential security vulnerability in any SAP Software then follow the guidelines here.

Security Spotlight News

Securely Configuring SAP Gateway and SAP Message Server - May 2, 2019

SAP is aware of recent reports about vulnerabilities in SAP Gateway and SAP Message Server, however these have been patched by SAP a few years ago.  Security notes 8218751408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape.

SAP takes the security of customer data seriously. The recommendations published in the white papers A Practical Guide for Securing SAP® Solutions and Securing Remote Function Calls (RFC) emphasizes secure configuration of SAP landscape. Customers can leverage related security checks in the EarlyWatch Alert (note 863362) and the SAP Security Optimization Service (https://support.sap.com/sos).

SAP stands for secure and reliable software solutions. As the global leader in business software, SAP has based its development processes on a comprehensive security strategy (“Prevent – Detect – React”) across the enterprise that relies on trainings, tools and processes to enable the delivery of secure products and services.

SAP Security Patch Day

The security maintenance of installed SAP software is key to continuously protect also against new types of attacks or newly identified potential weaknesses.

Based on feedback from customers, partners and SAP user groups, SAP has launched a regular SAP Security Patch Day, scheduled for the second Tuesday of every month — which has been synchronized with the Security Patch Day of other major software vendors.

On these SAP Patch Days, SAP publishes software corrections as SAP Security Notes, focused solely on security to protect against potential weaknesses or attacks. Access SAP Security Notes in the Launchpad, then select All Security Notes, to get the complete list of all SAP Security Notes. We recommend that you implement these corrections at a priority. Several tools are available to help identify, select and implement these corrections.

SAP categorizes SAP Security Notes as Patch Day Security Notes and Support Package Security Notes, with the sole purpose of making you focus on important fixes on patch days and the rest to be implemented automatically during SP upgrades. For details refer to the SAP Security Notes FAQ. Security fixes for SAP NetWeaver based products are also delivered with the support packages.

Starting June 11, 2019, for all new SAP Security Notes with high or very high priority we deliver fix for Support Packages shipped within the last 24 months*. This is extended from the previous Support Package coverage of 18 months. 

Notes with low or medium priority contain corrections in at least the newest support package in all mainstream and extended maintenance releases.

*See the following areas with an exception from the 24 months (starting June 11, 2019) with their general maintenance strategy

Planned Dates for 2019 SAP Security Patch Days

January 8

February 12

March 12

April 9

May 14

June 11

July 9

August 13

September 10

October 8

November 12

December 10