This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.


On 13th of September 2016, SAP Security Patch Day saw the release of 11 security notes. Additionally, there were 3 Updates to previously released Patch Day Security Notes.


As of March 01, 2016, SAP Security Note prioritization is based on CVSS v3 Base score. The revised prioritization scheme is aligned with the industry’s best practice, and to provide better transparency to our customers. From March 2016 security patch day, all patch day security notes will carry CVSS v3 Base score and vector information to assist our customers in their risk assessment. For further details, please refer to our blog on CVSS v3.

___________________________________________________________________________________________


Security Notes vs Vulnerability Type – September 2016

VT.jpg

Security Notes vs Priority Distribution (April 2016 – September 2016)**

ND.jpg

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page


Do write to us at secure@sap.com with all your comments and feedback on this blog post.


SAP Product Security Response Team

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Martin Daeufel

    I am trying to find out if for the vulnerability described in OSS Note 2344524 usernames can be enumerated from an external facing portal even if the users are LDAP users and not local UME users. Any guidance would be appreciated.

    (0) 
    1. Udit Singh Post author

      Hello Martin,

      For further information regarding released Security Notes, please create a Customer Support Incident if you are a registered SAP Customer. If not, please write to secure@sap.com and we can guide you to the proper channels.

      -Udit

      (0) 

Comments are closed.