Skip to Content
Contacteer ons
Chat nu Chat Offline
Live hulp en chat met een van onze SAP medewerkers.
Contacteer ons
E-mail ons uw opmerkingen, vragen of feedback.

SAP Trust Center

Find the information you need on cloud performance, security, privacy, and compliance.

Report a Security Issue

SAP is committed to identifying and addressing security issues that affect our software and cloud solutions. We are continuously working on improving our security processes. To report a potential security issue, choose from the options below.

SAP customers

Report a customer security issue by using the SAP ONE Support Launchpad to find a solution and get real-time support from an expert. 

Security researchers

Inform the SAP Security Response Team of a security issue by completing and submitting the security vulnerability form.

Note: Include the following details in the report, as applicable, so that we can better analyze the nature and scope of the security issue: issue category, affected product version with support package and patch level, necessary pre/post-conditions for the exploit to work, description with proof of concept or exploit code, and impact of the issue if exploited.

Secure configuration of SAP Gateway and SAP Message Server

SAP is aware of recent reports about vulnerabilities in SAP Gateway and SAP Message Server; however, these have been patched by SAP a few years ago.  Security notes 8218751408081, and 1421005 released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of the SAP landscape.


SAP takes the security of customer data seriously. The recommendations published in the white paper Securing Remote Function Calls (RFC) emphasize secure configuration of the SAP landscape. Customers can enable related security checks found in the EarlyWatch Alert (note 863362) and the SAP Security Optimization Services Portfolio.


SAP is committed to providing secure and reliable software solutions. As the global leader in business software, SAP bases its development processes on a comprehensive security strategy (“Prevent – Detect – React”) across the enterprise that relies on trainings, tools, and processes designed to support the security of SAP products and services.

Processor-based vulnerabilities

At the beginning of 2018, with Spectre (and Meltdown), a new class of vulnerabilities was published. In the following months, new variants have been discovered and published under the same pseudonym. Ongoing research and publication of new vulnerabilities and attacks suggest that the topic will continue to be relevant in the future. The common denominator of these vulnerabilities is that they are mostly caused by the architectural (hardware) design of the CPU that affects nearly every computer chip manufactured in the last 20 years.

These vulnerabilities could, if exploited, allow attackers to gain access to data previously considered protected. Possible attacks are called side-channel attacks, in which the execution speed (timing) of certain operations could allow the removal of memory contents that are normally not accessible. From a security perspective, one of the concerns is the breaking of boundaries within virtualized environments.

SAP thoroughly investigates the impact of these vulnerabilities and is closely aligning with corresponding vendors, providers, and the Open Source community. SAP works on investigating if, where, and how our platforms, databases, applications, and cloud operations are affected.  

SAP is taking a proactive approach and is fixing potential flaws derived from hardware side-channel attacks as expeditiously as possible. You can find more information on our patching progress for our cloud environments here (registration required). As a consumer of affected software and hardware, we largely depend on the availability of patches provided by respective vendors, providers, or the Open Source community. The schedule of applying appropriate patches is, to a large extent, determined by their availability.

SAP recommends that all customers carefully monitor and follow the advice on implementing security patches provided by hardware and operating system providers as soon as they become available. SAP will apply fixes to its cloud infrastructure. SAP Global Security is constantly monitoring the situation.

Each variant was given its own CVE number (updated November 6, 2018):

Each of these vulnerability variants may be exploited to read confidential data such as CPU or kernel memory. The level of criticality and potential for exploitation differs between each of the variants. 


For further vendor information about security vulnerabilities, resources, and responses, visit:

Please note that SAP is not liable for any content on these external sites.

Back to top