This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.
On 8th of August 2017, SAP Security Patch Day saw the release of 16 security notes.
List of security notes released on the August Patch Day:
|2486657||Directory Traversal vulnerability in SAP NetWeaver AS Java Web Container||High||7.7|
|2376081||Code Injection vulnerability in Visual Composer 04s iviews||High||7.4|
|2381071||Cross-Site AJAX Requests vulnerability in SAP BusinessObjects||High||7.3|
|2499109||Collisions during UUID generation in SAP NetWeaver Java Server||Medium||6.8|
|2494184||Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products||Medium||6.3|
|2450979||SQL Injection vulnerability in SAP CRM WebClient User Interface||Medium||6.3|
|2481262||Cross-Site Scripting (XSS) vulnerability in SAP CRM IPC Pricing||Medium||6.1|
|2425744||Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI||Medium||6.1|
|2417020||Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML||Medium||6.1|
|2493099||Multiple Security Vulnerabilities in SAP SRM Live Auction Application||Medium||6.1|
|2392719||Potential Denial of Service vulnerability in Adobe Document Services||Medium||5.3|
|2428512||Server-Side Request Forgery (SSRF) vulnerability in Web Intelligence BI Launchpad||Medium||5|
|2453642||SQL Injection vulnerability in SAP NetWeaver||Medium||4.7|
|2423540||URL Redirection Vulnerability in SAP NetWeaver Logon Application||Medium||4.3|
|2394536||URL Redirection vulnerability in SAP NetWeaver K.M. Web Page Composer||Low||3.5|
|2463354||Missing Authorization check in the ABAP Workbench tools||Low||2.7|
Security Notes vs Vulnerability Types- August 2017
Security Notes vs Priority Distribution (March 2017 – August 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 11th July 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.