This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.
On 11th of October 2016, SAP Security Patch Day saw the release of 11 Patch Day Security Notes. Additionally, there were 1 Update to previously released Security Notes.
One of the highlights of this patch day was the release of 31 Support Package Security Notes* for improving RFC security for CRM Solutions. For details please refer to the central Security Note 2078596.
As of March 01, 2016, SAP Security Note prioritization is based on CVSS v3 Base score. The revised prioritization scheme is aligned with the industry’s best practice, and to provide better transparency to our customers. From March 2016 security patch day, all patch day security notes will carry CVSS v3 Base score and vector information to assist our customers in their risk assessment. For further details, please refer to our blog on CVSS v3.
Security Notes vs Vulnerability Type – October 2016
Security Notes vs Priority Distribution (May 2016 – October 2016)**
* Patch Day Security Notes are all notes that fix vulnerabilities reported by external sources and internal findings with priority “Very High”.
* Support Package Security Notes fix vulnerabilities found internally with priority “Low”, “Medium” and “High”.
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.