SAP has finally issued a patch for a critical vulnerability that has been wide open to exploitation for three years.

The patch is among the biggest Patch Tuesdays from SAP since 2012, and will address 48 vulnerabilities in the widely used enterprise resource planning (ERP) software suite.


The vulnerability that has been unpatched since 2013 is described by ERPScan, a specialist security company that focuses on ERP software, as a “missing authentication check-in” in SAP P4.

It was uncovered by Vahagn Vardanyan, a senior business applications security researcher at ERPScan.

“Initially, the patch to close this issue in the old P4 versions was released in 2012. Later, based on the SAP Security Note, we wrote a special script to exploit this vulnerability during penetration testings,” Vardanyan told Computing.

“The script usually worked. We decided that SAP customers didn’t implement the appropriate patch and recommended that they did so. But once our client claimed that they had installed the patch, the investigation revealed that the bug still affects the latest versions of the service. In March, we sent this issue to the vendor and, now, it’s finally fixed.”

Three of the 48 patches are described by SAP as “high priority”, meaning they should be implemented as soon as possible.

ERPScan noted that the majority of the flaws patched this month are switchable authorisation checks.

In a blog posting, the company explains: “By these patches, new switchable authorisation checks were implemented. By default, they are inactive to ensure compatibility with processes. In case the authorisation is automatically turned on, it can lead to business processes stoppage, when an employee hasn’t got access to the required functionality or documentation.”

It goes on to warn that implementing these patches will likely require “a lot of manual work”. SAP customers should assign the authorisation rights to the corresponding users in proper time and in accordance with corporate policies, it advises.

Earlier patch issues from SAP include a series of 26 patches to fix denial of service and SQL injection flaws in August, and a 36-patch issue which included patches to fix so-called ‘clickjacking’ vulnerabilities in July.

Author: Graeme Burton