SAP Security Patch Day – March 2017
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.
On 14th of March 2017, SAP Security Patch Day saw the release of 25 security notes. Additionally, there were 2 updates to previously released security notes.
We would like to inform our customers that the March Patch Day that also comprises a Security Note of Very High priority (Hot News), is immediately followed by security conferences where SAP vulnerabilities are expected to be discussed. Therefore, we wish to remind you to apply all SAP Security Notes on a priority. You may also visit this blog by the SAP HANA Security Team to know more about security patches in SAP HANA.
List of security notes released on the March Patch Day:
Note# |
Title |
Priority |
CVSS |
| 2424173 | Vulnerabilities in the user self-service tools of SAP HANA | Very high | 9.8 |
| 2429069 | Session fixation vulnerability in SAP HANA extended application services, classic model | High | 8.8 |
| 2407616 | Remote Code Execution vulnerability in SAP GUI for Windows | High | 8.0 |
| 2399804 | Denial of service (DOS) in Visual Composer | High | 7.5 |
| 2405918 | Denial of service (DOS) in SAP Netweaver Dynpro Engine | High | 7.5 |
| 2416119 | Improved security for HTTP URL outgoing connections in SAP Netweaver | High | 7.4 |
| 2418823 | Update 1 to Note 2319506 | High | 7.2 |
| 2378999 | Missing Authorization check in SAP ERP Materials Management | Medium | 6.3 |
| 2408100 | Cross-Site Scripting (XSS) vulnerability in Enterprise Portal – GenericSemanticTest component | Medium | 6.1 |
| 2417046 | Cross-Site Scripting (XSS) vulnerability in SAP Netweaver Monitoring application | Medium | 6.1 |
| 2372626 | Missing XML Validation vulnerability in SAP Netweaver Log Viewer application | Medium | 5.5 |
| 2332977 | Cross site scripting (XSS) vulnerability in Web Dynpro ABAP | Medium | 5.4 |
| 2333845 | Cross-Site Scripting (XSS) vulnerability in UnifiedRendering | Medium | 5.4 |
| 2335272 | Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML | Medium | 5.4 |
| 2360761 | Memory Corruption vulnerability in SAP 3D Visual Enterprise Author, Generator and Viewer | Medium | 5.4 |
| 2386814 | Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence HTML interface | Medium | 5.4 |
| 2392509 | Cross-Site Scripting (XSS) vulnerability in Enterprise Portal styleservice | Medium | 5.4 |
| 2417428 | Cross-Site Scripting (XSS) vulnerability in SAP Travel Management | Medium | 5.4 |
| 2418209 | Cross-Site Scripting (XSS) vulnerability in Security Diagnostic Tool | Medium | 5.4 |
| 2372188 | Information Disclosure in Business Process Management | Medium | 5.3 |
| 2424120 | Information disclosure in SAP HANA cockpit for offline administration | Medium | 4.9 |
| 2381388 | Missing Authorization check in SAP ERP Materials Management | Medium | 4.3 |
| 2406841 | Java Script Engine of ABAP server may become unavailable | Low | 2.7 |
| 2426260 | SQL Injection vulnerability in SAP HANA extended application services, classic model | Low | 2.7 |
| 2428811 | SQL Injection vulnerability in SAP HANA Web Workbench | Low | 2.7 |
_______________________________________________________________________________________________
Security Notes vs Vulnerability Types- March 2017
Security Notes vs Priority Distribution (October 2016 – March 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 14th February 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.
The monthly worklist for a CERT team who is dealing with new and updated notes since previous Patch Day is a little bit larger:
You find 35 new or changed security notes if you search for them on https://support.sap.com/securitynotes or https://support.sap.com/notes (-> Expert Search -> Document Type = Security Note, Date range = 15.02.2017-14.03.2017).
Kind regards
Frank Buchholz
CoE Security Services