Thanks, Martin. Yes, this was precisely my question. I have seen some mention of OpenSSL being credited as one of many third-party products used in ADS, though it wasn't clear in what fashion (since ADS would simply reuse the NetWeaver Java AS' security protocols, no?), so that did make me wonder. I've also seen elsewhere that the Java AS includes a cryptography suite from IAIK. So, that made me wonder whether if SAP did reuse some third-party code in sapcryptolib, would the copyright notice for same be buried in the code itself?
At the moment I'm feeling reasonably secure about this (as secure as one ever feels in the face of the unknown, anyway), as if this truly were a problem I'd have expected there to be a lot more chatter here about it, and/or there would have been an identified patch to common-cryptolib or sapcryptolib within the past day or so, which doesn't seem to have been the case. Perhaps that patch will come out in the next couple days, but I'm thinking you're right, and OpenSSL's mistake isn't repeated here.
Regards,
Matt