critical2026-03-10SAP FS-QUOCVE-2019-17571

Remote Code Execution via Apache Log4j 1.2 SocketServer in SAP Quotation Management Insurance

SAP Quotation Management Insurance (FS-QUO)

Our Take

The CVE number is from 2019 — this is a known Log4j 1.2 deserialization issue being patched in the SAP FS-QUO bundle. If you run SAP Insurance (FS-QUO), this is a critical exposure. If you do not run FS-QUO, this note does not apply to you. Narrow product scope but CVSS 9.8 demands immediate action for affected shops.

Vulnerability Detail

SAP Quotation Management Insurance ships an outdated Apache Log4j 1.2.17 component whose SocketServer class accepts serialized log events without authentication. An unauthenticated remote attacker can send a crafted payload to the SocketServer port and achieve remote code execution. CVE-2019-17571 was the original Log4j 1.x SocketServer disclosure — this SAP Note applies the fix to the bundled component.

Workaround

Disable or firewall the Log4j SocketServer port if patching cannot be done immediately. Do not expose FS-QUO to untrusted networks.

Patch Action

Apply SAP Note 3698553. Updates the bundled Log4j component and disables the vulnerable SocketServer.

Affected Versions

FS-QUO 800

Patch Info

Timing

🔴 Patch immediately

CVSS Score

9.8

SAP Note

3698553 ↗

CVE

CVE-2019-17571

Published

2026-03-10

Timing recommendations are editorial. Verify against official SAP Security Notes before acting on production systems.

← All patches