March 2026 · 15 notes released
Patch ArchiveMarch 2026 SAP Security Patches
Critical and high severity notes from SAP Patch Tuesday March 10, 2026. All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.
2
Critical (covered)
1
High (covered)
0
Medium (covered)
0
Low (covered)
Remote Code Execution via Apache Log4j 1.2 SocketServer in SAP Quotation Management Insurance
SAP Quotation Management Insurance ships an outdated Apache Log4j 1.2.17 component whose SocketServer class accepts serialized log events without authentication. An unauthenticated remote attacker can send a crafted payload to the SocketServer port and achieve remote code execution. CVE-2019-17571 was the original Log4j 1.x SocketServer disclosure — this SAP Note applies the fix to the bundled component.
Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration
Privileged users can upload malicious serialized objects through the Enterprise Portal Administration interface. When the server deserializes these objects, arbitrary code executes in the context of the portal server process, compromising confidentiality, integrity, and availability of the system.
Denial of Service via RFC Function Module Resource Exhaustion in SAP Supply Chain Management
An authenticated user can call an RFC-enabled function module with excessively large parameter values, triggering an uncontrolled loop that exhausts system resources and renders the affected system unavailable. Both standalone SAP SCM and the SCM components embedded in S/4HANA are affected.