SAP Security Patch Day – May 2017
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that customers visit the Support Portal and apply patches on a priority to protect their SAP landscape.
On 9th of May 2017, SAP Security Patch Day saw the release of 9 security notes. Additionally, there were 2 updates to previously released security notes.
List of security notes released on the May Patch Day:
Note# |
Title |
Priority |
CVSS |
| 2376743 | Missing Authorization check in EA-DFPS utilities | Medium | 6.5 |
| 2442630 | Missing Authorization check in EA-DFPS | Medium | 6.3 |
| 2423486 | Update to Security Note released on Apr 2017 Patch Day: Missing Authorization check in SAP NetWeaver ADBC Demo Programs | Medium | 6.3 |
| 2443586 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Authentication and SSO | Medium | 6.1 |
| 2424671 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Generic Object Services | Medium | 5.4 |
| 2448972 | Improved Permission Checks for opening connection in SAP GUI for Java | Medium | 5.1 |
| 2412897 | Cross-Site Scripting (XSS) vulnerability in Enterprise Portal | Medium | 4.8 |
| 2441560 | Potential Denial of Service (DoS) in SAPCAR | Medium | 4.5 |
| 2394024 | Missing Authorization check in EA-DFPS | Medium | 4.3 |
| 2235515 | Update to Security Note released on Nov 2015 Patch Day: Insufficient logging in SNOTE |
Medium | 4.3 |
| 2406918 | Missing XML Validation vulnerability in SAP NetWeaver Web Services Configuration UI | Low | 3.8 |
Security Notes vs Vulnerability Types- May 2017
Security Notes vs Priority Distribution (December 2016 – May 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 11th April 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.