Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 11th of July 2017, SAP Security Patch Day saw the release of 10 security notes. Additionally, there were 2 updates to previously released security notes.

The high priority security note 2476601 released today addresses technical issues in SAP Point of Sale (POS) Retail Xpress Server with potential disclosure at upcoming security conferences. Therefore, we wish to remind you to apply all SAP Security Notes on a priority.

List of security notes released on the July Patch Day:

Note# Title Priority CVSS
2476601 Missing Authentication checks in SAP Point of Sale (POS) Retail Xpress Server High 8.1
2442993 Malicious SAP Host Agent Shutdown without Authentication High 7.5
2416119 Update to Security Note released on March 2017 Patch Day:
Improved security for outgoing HTTPS connections in SAP NetWeaver
High 7.4
2453640 Code Injection vulnerability in Governance, Risk and Compliance Access Controls Medium 6.5
2409262 Cross-Site Scripting (XSS) vulnerability in BI Promotion Management Application Medium 6.1
2478964 Cross-Site Scripting (XSS) vulnerability in SAP CRM Internet Sales Administration Console Medium 6.1
1854252 Update to Security Note released on March 2013 Patch Day:
Missing authorization-check in BC-SRV-ALV
High 6.0
2398144 Missing XML Validation vulnerability in SAP Business Objects Titan Medium 5.4
2458021 Information Disclosure vulnerability in LDAP Authentication for SAP BusinessObjects Enterprise Medium 5.3
2424742 Information Disclosure in SAP NetWeaver Master Data Management Medium 4.3
2478377 Exposure to Sweet32 vulnerability in multiple SAP Sybase products Low 3.7
2459319 Weak encryption used in SAP Netweaver Data Orchestration Engine Low 2.7

________________________________________________________________________________

Security Notes vs Vulnerability Types- July 2017

Security Notes vs Priority Distribution (Feb 2017 – July 2017)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 13th June 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Nelis Lamprecht

    Good day,

    Do you have any notification service for high priority security notes ? We can receive notifications  for SAPGUI updates via the SAP Wiki – is there something specifically for security notes ?

    If there isn’t perhaps there should be. It’s all very well that we keep our systems patched but we need to know about these high risk issues first and that can only be done through effective communication. I’m not sure a once a month list is effective for high priority security ? …perhaps someone else can comment.

    Thanks, Nelis

     

    (0) 

Leave a Reply