This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that customers visit the Support Portal and apply patches on a priority to protect their SAP landscape.
On 11th of April 2017, SAP Security Patch Day saw the release of 12 security notes. Additionally, there were 3 updates to previously released security notes.
April Patch Day also comprises of a Security Note 2419592 of Very High priority (Hot News). As always, we recommend that customers apply all SAP Security Notes at the earliest.
List of security notes released on the April Patch Day:
|2419592||Code Injection vulnerability in TREX / BWA||Very High||9.4|
|2407616||Update to Security Note released on Mar 2017 Patch Day:
Remote Code Execution vulnerability in SAP GUI for Windows
|2391018||Update to Security Note released on Feb 2017 Patch Day:
Memory Corruption vulnerability in SAP 3D Visual Enterprise Author, Generator and Viewer
|2410082||Missing XML Validation vulnerability in Web Dynpro Flash Island||High||7.5|
|2421287||Security vulnerabilities in SAPLPD||High||7.5|
|2406783||Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Central Technical Configuration||Medium||6.3|
|2423486||Missing Authorization check in SAP NetWeaver ADBC Demo Programs||Medium||6.3|
|2427949||Incorrect Authorization Checks in SAP ERP Logistics Customer Master and Vendor Master||Medium||6.3|
|2308535||Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Java Archiving Framework||Medium||6.1|
|2400292||Missing XML Validation vulnerability in TranslationSupport application||Medium||5.4|
|2426076||Multiple vulnerabilities in SAP ERP Stakeholder Relationship Management||Medium||5.3|
|2372301||Missing XML Validation in Composite Application Framework Authorization Tool||Medium||4.9|
|2387249||Missing XML Validation vulnerability in Knowledge Management ICE Service||Medium||4.9|
|2374348||Update to Security Note released on Jan 2017 Patch Day:
Information Disclosure in DBISQL affecting SAP SQL Anywhere, SAP ASE and SAP IQ
|2403010||Cross-Site Request Forgery (CSRF) vulnerability in BI LaunchPad||Low||3.5|
Security Notes vs Vulnerability Types- April 2017
Security Notes vs Priority Distribution (November 2016 – April 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 14th March 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.