Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 14th of March 2017, SAP Security Patch Day saw the release of 25 security notes. Additionally, there were 2 updates to previously released security notes.

We would like to inform our customers that the March Patch Day that also comprises a Security Note of Very High priority (Hot News), is immediately followed by security conferences where SAP vulnerabilities are expected to be discussed. Therefore, we wish to remind you to apply all SAP Security Notes on a priority. You may also visit this blog by the SAP HANA Security Team to know more about security patches in SAP HANA.

List of security notes released on the March Patch Day:

Note#

Title

Priority

CVSS

2424173 Vulnerabilities in the user self-service tools of SAP HANA Very high 9.8
2429069 Session fixation vulnerability in SAP HANA extended application services, classic model High 8.8
2407616 Remote Code Execution vulnerability in SAP GUI for Windows High 8.0
2399804 Denial of service (DOS) in Visual Composer High 7.5
2405918 Denial of service (DOS) in SAP Netweaver Dynpro Engine High 7.5
2416119 Improved security for HTTP URL outgoing connections in SAP Netweaver High 7.4
2418823 Update 1 to Note  2319506 High 7.2
2378999 Missing Authorization check in SAP ERP Materials Management Medium 6.3
2408100 Cross-Site Scripting (XSS) vulnerability in Enterprise Portal – GenericSemanticTest component Medium 6.1
2417046 Cross-Site Scripting (XSS) vulnerability in SAP Netweaver Monitoring application Medium 6.1
2372626 Missing XML Validation vulnerability in SAP Netweaver Log Viewer application Medium 5.5
2332977 Cross site scripting (XSS) vulnerability in Web Dynpro ABAP Medium 5.4
2333845 Cross-Site Scripting (XSS) vulnerability in UnifiedRendering Medium 5.4
2335272 Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML Medium 5.4
2360761 Memory Corruption vulnerability in SAP 3D Visual Enterprise Author, Generator and Viewer Medium 5.4
2386814 Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence HTML interface Medium 5.4
2392509 Cross-Site Scripting (XSS) vulnerability in Enterprise Portal styleservice Medium 5.4
2417428 Cross-Site Scripting (XSS) vulnerability in SAP Travel Management Medium 5.4
2418209 Cross-Site Scripting (XSS) vulnerability in Security Diagnostic Tool Medium 5.4
2372188 Information Disclosure in Business Process Management Medium 5.3
2424120 Information disclosure in SAP HANA cockpit for offline administration Medium 4.9
2381388 Missing Authorization check in SAP ERP Materials Management Medium 4.3
2406841 Java Script Engine of ABAP server may become unavailable Low 2.7
2426260 SQL Injection vulnerability in SAP HANA extended application services, classic model Low 2.7
2428811 SQL Injection vulnerability in SAP HANA Web Workbench Low 2.7

 

_______________________________________________________________________________________________

Security Notes vs Vulnerability Types- March 2017

Security Notes vs Priority Distribution (October 2016 – March 2017)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 14th February 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

 

SAP Product Security Response Team

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Scott Walker

    The security patch day have the preference which can be dedicated and they have also enhanced many new things which are undefinable for them and in that case they have to make things more similar and they should also make many other security gateways for them which are more important for it and they can buy assignment from experts or they can take the assistance of it so that it can be more easy for them to handle the things which are applicable to the securities and some of them are following the rules and some are not.

    (0) 
  2. Michael Robertson

    They are likewise sharing the new things which are probably going to be composed in a very much mannered way and these sorts of occasions are not Buy Essay Online | EssayEmpire appeared in any of it and individuals are probably going to visit these sorts of occasion with better charm and they are additionally mindful of that thing all the more liberally with the methods for everything.

    (0) 

Leave a Reply