This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that customers visit the Support Portal and apply patches on a priority to protect their SAP landscape.
On 13th of June 2017, SAP Security Patch Day saw the release of 18 security notes. Additionally, there were 3 updates to previously released security notes.
List of security notes released on the June Patch Day:
Note# |
Title |
Priority |
CVSS |
| 2313631 | Denial of service (DOS) in BILaunchPad and Central Management Console | High | 7.5 |
| 2389181 | Denial of service (DOS) in SAP NetWeaver Instance Agent Service | High | 7.5 |
| 2416119 | Update to Security Note released on Mar 2017 Patch Day: Improved security for outgoing HTTPS connections in SAP NetWeaver |
High | 7.4 |
| 2396544 | Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence HTML interface | High | 7.1 |
| 2444321 | Missing certificate verification in CommonCryptoLib | High | 7 |
| 2425129 | Missing XML Validation vulnerability in SAP Note Assistant | Medium | 6.9 |
| 2427292 | Information disclosure in SAP MMC Console | Medium | 6.6 |
| 2430022 | Denial of service (DOS) in SAP Netweaver AS ABAP | Medium | 6.5 |
| 2457269 | Missing XML Validation vulnerability in Business Planning & Consolidation system reports | Medium | 6.5 |
| 2423486 | Update to Security Note released on Apr 2017 Patch Day: Missing Authorization check in SAP NetWeaver ADBC Demo Programs |
Medium | 6.3 |
| 2405943 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework and Business | Medium | 6.1 |
| 2419559 | Reflected Cross-Site Scripting (XSS) in Web Intelligence BI Launchpad | Medium | 6.1 |
| 2419524 | Reflected Cross-Site Scripting (XSS) in Web Intelligence BI Launchpad | Medium | 6.1 |
| 2373032 | Update to Security Note released on Dec 2016 Patch Day: Cross-Site Scripting (XSS) vulnerability in WebClient User Interface |
Medium | 6.1 |
| 2423429 | Code Injection vulnerability in SAP Web Dispatcher | Medium | 5.3 |
| 2445071 | Denial of service (DOS) in SAP NetWeaver Message Server | Medium | 5.3 |
| 2445033 | Information Disclosure in SAP NetWeaver Message Server | Medium | 5.3 |
| 2422292 | Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Financial Consolidation | Medium | 4.6 |
| 2429693 | Directory Traversal vulnerability in SAP BusinessObjects Intercompany 10.0 | Medium | 4.3 |
| 2457909 | Missing Authorization check in SCM Forecasting and Replenishment | Medium | 4.3 |
| 2472026 | URL Redirection vulnerability in SAP Data Services Management Console | Medium | 4.3 |
Security Notes vs Vulnerability Types- June 2017
Security Notes vs Priority Distribution (January 2017 – June 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 9th May 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.