Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that customers visit the Support Portal and apply patches on a priority to protect their SAP landscape.

On 13th of June 2017, SAP Security Patch Day saw the release of 18 security notes. Additionally, there were 3 updates to previously released security notes.

List of security notes released on the June Patch Day:

Note#

Title

Priority

CVSS

2313631 Denial of service (DOS) in BILaunchPad and Central Management Console High 7.5
2389181 Denial of service (DOS) in SAP NetWeaver Instance Agent Service High 7.5
2416119 Update to Security Note released on Mar 2017 Patch Day:
Improved security for outgoing HTTPS connections in SAP NetWeaver
High 7.4
2396544 Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence HTML interface High 7.1
2444321 Missing certificate verification in CommonCryptoLib High 7
2425129 Missing XML Validation vulnerability in SAP Note Assistant Medium 6.9
2427292 Information disclosure in SAP MMC Console Medium 6.6
2430022 Denial of service (DOS) in SAP Netweaver AS ABAP Medium 6.5
2457269 Missing XML Validation vulnerability in Business Planning & Consolidation system reports Medium 6.5
2423486 Update to Security Note released on Apr 2017 Patch Day:
Missing Authorization check in SAP NetWeaver ADBC Demo Programs
Medium 6.3
2405943 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework and Business Medium 6.1
2419559 Reflected Cross-Site Scripting (XSS) in Web Intelligence BI Launchpad Medium 6.1
2419524 Reflected Cross-Site Scripting (XSS) in Web Intelligence BI Launchpad Medium 6.1
2373032 Update to Security Note released on Dec 2016 Patch Day:
Cross-Site Scripting (XSS) vulnerability in WebClient User Interface
Medium 6.1
2423429 Code Injection vulnerability in SAP Web Dispatcher Medium 5.3
2445071 Denial of service (DOS) in SAP NetWeaver Message Server Medium 5.3
2445033 Information Disclosure in SAP NetWeaver Message Server Medium 5.3
2422292 Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Financial Consolidation Medium 4.6
2429693 Directory Traversal vulnerability in SAP BusinessObjects Intercompany 10.0 Medium 4.3
2457909 Missing Authorization check in SCM Forecasting and Replenishment Medium 4.3
2472026 URL Redirection vulnerability in SAP Data Services Management Console Medium 4.3

 

Security Notes vs Vulnerability Types- June 2017

Security Notes vs Priority Distribution (January 2017 – June 2017)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 9th May 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply