This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that customers visit the Support Portal and apply patches on a priority to protect their SAP landscape.

On 11th of April 2017, SAP Security Patch Day saw the release of 12 security notes. Additionally, there were 3 updates to previously released security notes.

April Patch Day also comprises of a Security Note 2419592 of Very High priority (Hot News). As always, we recommend that customers apply all SAP Security Notes at the earliest.

List of security notes released on the April Patch Day:

Note#

Title

Priority

CVSS

2419592 Code Injection vulnerability in TREX / BWA Very High 9.4
2407616 Update to Security Note released on Mar 2017 Patch Day:
Remote Code Execution vulnerability in SAP GUI for Windows
High 8.0
2391018 Update to Security Note released on Feb 2017 Patch Day:
Memory Corruption vulnerability in SAP 3D Visual Enterprise Author, Generator and Viewer
High 7.8
2410082 Missing XML Validation vulnerability in Web Dynpro Flash Island High 7.5
2421287 Security vulnerabilities in SAPLPD High 7.5
2406783 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Central Technical Configuration Medium 6.3
2423486 Missing Authorization check in SAP NetWeaver ADBC Demo Programs Medium 6.3
2427949 Incorrect Authorization Checks in SAP ERP Logistics Customer Master and Vendor Master Medium 6.3
2308535 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Java Archiving Framework Medium 6.1
2400292 Missing XML Validation vulnerability in TranslationSupport application Medium 5.4
2426076 Multiple vulnerabilities in SAP ERP Stakeholder Relationship Management Medium 5.3
2372301 Missing XML Validation in Composite Application Framework Authorization Tool Medium 4.9
2387249 Missing XML Validation vulnerability in Knowledge Management ICE Service Medium 4.9
2374348 Update to Security Note released on Jan 2017 Patch Day:
Information Disclosure in DBISQL affecting SAP SQL Anywhere, SAP ASE and SAP IQ
Low 3.9
2403010 Cross-Site Request Forgery (CSRF) vulnerability in BI LaunchPad Low 3.5

 

Security Notes vs Vulnerability Types- April 2017

 

Security Notes vs Priority Distribution (November 2016 – April 2017)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 14th March 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply