This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.
On 14th of November 2017, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 9 updates to previously released security notes.
List of security notes released on the November Patch Day:
|2371726||Update to Security Note released on September 2016 Patch Day: Code Injection vulnerability in Text Conversion||Very High||9.1|
|2520772||Update to Security Note released in September 2017:
Information Disclosure in LaMa 3.0
|2531241||Update to Security Note released in September 2017:
Information Disclosure in LVM 2.1 and LaMa 3.0
|2500044||Full access to SAP Management Console||High||8.0|
|2492658||Update to Security Note released on September 2017 Patch Day:
Missing XML Validation vulnerability in SAP NetWeaver Java Workflow (JWF)
|1560538||Update to Security Note released in May 2011: Missing authorization check in SCM-APO-INT||Medium||6.3|
|2374767||Cross-Site Scripting (XSS) vulnerability in SAPUI5||Medium||6.1|
|2473504||Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Analysis Edition for OLAP||Medium||6.1|
||Cross-Site Scripting (XSS) vulnerability in SAP CRM Mail Form Editor||Medium||6.1|
|2471209||Update to Security Note released on September 2017 Patch Day:
Cross-Site Scripting (XSS) vulnerability in SAPGUI for HTML
|2492999||Multiple security vulnerabilities in SAP ERP Learning Solution Content Player||Medium||5.5|
||Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note Assistant||Medium||5.5|
|2464582||Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLForms||Medium||5.4|
|2400292||Update to Security Note released on April 2017 Patch Day:
Missing XML Validation vulnerability in TranslationSupport application
|2493171||Information Disclosure in SAP NetWeaver Instance Agent Service||Medium||5.3|
|2546220||SNOTE: Digital signature verification along with note file extraction||Medium||5.3|
|2508673||Information Disclosure in SAP HANA Extended Application Services (XS Advanced)||Medium||5.0|
|2535629||DLL preload attack possible on NwSapSetup and Installation self extracting program||Medium||5.0|
|2372301||Update to Security Note released on April 2017 Patch Day:
Missing XML Validation in Composite Application Framework Authorization Tool
|2508767||Privilege Escalation after installation of SAP Systems on SAP HANA||Medium||4.7|
|2514475||Directory Traversal vulnerability in SAP BI Mobile Server||Medium||4.3|
|2485208||Log Injection Vulnerability in SAP NetWeaver AS Java||Medium||4.3|
Security Notes vs Vulnerability Types – November 2017
Security Notes vs Priority Distribution (June 2017 – November 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 10th October 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at [email protected] with all your comments and feedback on this blog post.
SAP Product Security Response Team