- SAP Security Patch Day
SAP Security Patch Day – March 2023
March 2023 Security Patch Day shines because of the publication of five (5) critical corrections ranging between CVSS 9.0 and 9.9.
SAP Security Patch Day
The Walldorf-based software giant SAP has established the monthly SAP Security Patch Day to publish the latest security updates for its comprehensive product portfolio. As with almost every leading software producer, reports of security vulnerabilities or product bugs are recorded, processed, and fixed in a standardized procedure. The result is at least a correction guide, often also an installable security patch or even a service pack.
What is SAP Security Patch Day?
Security patches are released on the second Tuesday of each calendar month as part of SAP Security Patch Day. Security researchers and customers can report chess points to SAP as part of a “Responsible Disclosure” process. The resulting corrections are then presented to the SAP customer community on the following Patch Day. Customers can find the SAP Notes for the respective month on SAP Security Patch Day in Digital Asset Management.
Besides the PDF document, one can also select the security notes in the SAP Support Portal in the ONE Support Launchpad application “SAP Security Notes”.
Many leading software vendors follow a Patch Day ritual. Compared to a selective release, the bundled publication on a predictable date offers advantages for both customers and manufacturers. For example, customers don’t have to worry about missing an SAP Security Patch, while SAP can spend time between Security Patch Days identifying and fixing security vulnerabilities.
It is good practice for software vendors to give their customers and external security researchers the possibility to report potential vulnerabilities. These reports are received and processed as part of “Responsible Disclosure” based on the CERT policy for Coordinated Vulnerability Disclosure. It is common practice to name the researcher of vulnerability disclosure, and SAP does so with an SAP Security Patch Day.
How to report security issues to SAP?
SAP is committed to identifying and addressing security issues that affect its software and cloud solutions. Besides continuously improving the security processes, SAP also offers responsible vulnerability disclosure via the SAP Trust Center. SAP adopts the principle of coordinated vulnerability disclosure provided by CERT in 2017.
March 2023 Security Patch Day shines because of the publication of five (5) critical corrections ranging between CVSS 9.0 and 9.9.
Today, on February 14th, 2023, the SAP response team released security patches to the SAP product portfolio, consisting of 21 SAP Security Notes.
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
How quickly should SAP security notes be installed?
The general answer to the question can only be: “As fast as possible”. Since this is not always possible and reasonable, we recommend using a risk-based approach. In addition to the importance of the SAP Security Note under review, you should also consider the SAP software component affected by the vulnerability. Depending on the deployment scenario and the state of the affected software component, you can define individual prioritization. If there are reasons not to install a critical patch, keep compensatory measures in mind.
Questions (FAQ)
When is SAP Security Patch Day?
Generally, this day happens only once a month and is always on the second Tuesday of the respective month.
When will the patches be released?
The SAP Response Team releases the latest fixes and security updates at 9:00 CET on SAP Patch Day.
What helpful sources of information exist on SAP security notes?
We recommend you look at our Advisory Page, which you can find at abex.io/advisory. At the same time, there are many helpful articles on our blog. Of course, you can also get information in the ONE Support Launchpad application “SAP Security Notes” using the SAP customer account.
Can all SAP products be patched with the SNOTE transaction?
No, this is only possible for S/4HANA and SAP NetWeaver ABAP/4. For JAVA-based applications and other technologies, you should use different update procedures. The reason for this is that, like all large software manufacturers, SAP has acquired new solutions to expand its product portfolio.
Can I get notified on Patch Day?
Unfortunately, we are not aware of such a service offered by SAP. However, our team always publishes an SAP Security Patch Day summary article, which we share with all followers via our LinkedIn channel. The release of our summary happens shortly after the SAP Security Patch Day publication, and followers will receive a notification.
How can I report a vulnerability to SAP?
If you find a vulnerability in standard software, please handle this sensitive information with care, not to expose the customers of the solution to unnecessary risks. To report a vulnerability to SAP, we recommend that you visit the SAP Trust Center’s Security Issue Management.
How to improve Security Patch Management for SAP?
The Patch Management solution built into the SecurityBridge Platform shows all relevant security patches existing for any SAP instance.
Latest Resources
- White Paper
How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper "Bridging the Gap - How SecurityBridge Supports NIST CSF in SAP Environments". Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
- White Paper
Which cybersecurity framework is the best fit for SAP application security?
Download the White Paper "Which cybersecurity framework is the best fit for SAP application security?" to learn more about the available frameworks, the challenges when adopting a framework, and more.
- White Paper
Your Road to SAP Security
Download the White Paper "YOUR ROAD TO SAP SECURITY" to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.
- White Paper
Top mistakes to avoid in SAP security
Within this whitepaper you will learn about the key mistakes that can be avoided when it comes to SAP Security. History has shown that many companies have suffered from cyber incidents, moreover, not all incidents are reported or have been made available to the public.
- Report
SAP Security Product Comparison Report
Download the SAP Security Product Comparison Report and understand that holistic security for SAP can be delivered by a single solution.
- Video
How remote working affects your SAP security posture
Remote work is posing new challenges to companies' SAP security posture. In our webinar on May 7th, we showcased a potential attack on an SAP system, using techniques which are common tools among hackers. Using a password spray attack, we first tried to gain access to the system and subsequently extracted the password hashes of all users.
