SAP Security Patch Day in December 2019
Every second Tuesday of the month, SAP issues patch releases. For December, the set of security notes consists of 13 items (7 security notes from SAP and 6 additional ones). Each note includes the fixed vulnerabilities discovered in different SAP products.
The highest CVSS base score of patch update for December 2019 is 9.8, tagged as the Hot News priority. 12 out of 13 notes have received the medium priority rating.
Four updates out of 13 address to Missing authorization check vulnerabilities, the most common type of vulnerabilities this month as well as the previous one.
As for platforms, SAP ABAP has six vulnerabilities, which is more than in other platforms in this set of security notes.
Organizations running SAP have to secure data that SAP stores since attacks on their systems allow a cyber attacker to catch or change different business-critical information.
So SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
SAP Security Lapse
The very beginning of December 2019 became notorious for the SAP security lapse. New Zealand’s firearms buy-back scheme has been central to a data breach caused by human error at SAP.
After a software update mistakenly assigned higher-level privileges to some users within New Zealand’s firearms buy-back notification database. An update on the website caused personal data exposure. Names, addresses, dates of birth, firearms license numbers and bank account details were accessible.
SAP called this case “human error”. The error involved wrong security profiles assigned to gun dealers.
Why is this important? This incident serves as a reminder to us all that we have to be particularly secure with people’s personal information.