Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 12th of September 2017, SAP Security Patch Day saw the release of 16 Security Notes. Additionally, there was 1 out of band release of Security Note 2520064 and 6 updates to previously released security notes.

The security note 2408073 released today, enables SAP customers to prepare their systems to consume Digitally Signed SAP Notes. For details, refer to this blog. We wish to remind you to apply all SAP Security Notes on a priority.

SAP Security Response Team hereby also announces that SAP plans to become a CVE Numbering Authority by the end of 2017. Using CVE as a mechanism to disclose patches to vulnerabilities reported by external sources, SAP will facilitate faster patch consumption and transparency for all SAP customers.

List of security notes released on the September Patch Day:

Note# Title Priority CVSS
2476601 Update to Security Note released on July 2017 Patch Day:
Missing Authentication checks in SAP Point of Sale (POS) Retail Xpress Server
High 8.1
2520064 Out of band Security Note released on 18 Aug, 2017:
Missing Authentication checks in SAP Point of Sale (POS) Retail Xpress Server
High 8.1
2367269 Cross-Site Request Forgery (CSRF) vulnerability in Electronic Ledger Management for Turkey 1.0 High 7.6
2492658 Missing XML Validation vulnerability in SAP NetWeaver Java Workflow (JWF) Medium 6.9
2507798 Bypass of email verification in e-recruiting Medium 6.5
2342974 Arbitrary Valid Certificate Vulnerability in Adobe Document Services Medium 6.5
2491480 Cross-Site Scripting (XSS) vulnerability in SAP Netweaver Portal Medium 6.1
2488516 Cross-Site Scripting (XSS) vulnerability in Web Dynpro ABAP Medium 6.1
2471209 Cross-Site Scripting (XSS) vulnerability in SAPGUI for HTML Medium 6.1
2469860 Cross-Site Scripting (XSS) vulnerability in Web Dynpro Java Medium 6.1
2464489 Cross-Site Scripting (XSS) vulnerability in BIWorkspace Medium 6.1
2408073 Handling of Digitally Signed notes in SAP Note Assistant Medium 5.5
2489196 Information Disclosure in TREX / BWA Medium 5.5
2365450 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver SLC Sell Side Registration Page Medium 5.4
2444673 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure Cockpit Medium 5.4
2453642 Update to Security Note released on August 2017 Patch Day:
SQL Injection vulnerability in SAP NetWeaver
Medium 4.7
2524134 Update 1 to 2423540: URL Redirection Vulnerability in SAP NetWeaver Logon Application Medium 4.3
2423540 Update to Security Note released on August 2017 Patch Day:
URL Redirection Vulnerability in SAP NetWeaver Logon Application
Medium 4.3
2484707 Multiple vulnerabilities In SAP BI mobile application Medium 4.1
2296722 Update to Security Note released on May 2016 Patch Day:
Information Disclosure vulnerability in SAP ASE Installer
Medium 4.0
2374348 Update to Security Note released on January 2017 Patch Day:
Information Disclosure in DBISQL affecting SAP SQL Anywhere, SAP ASE and SAP IQ
Low 3.9
2528596 Hard-coded Credentials in SAP Point of Sale Store Manager Low 3.9
2483143 Information Disclosure in SAP NetWeaver Adapter Engine Cache Monitor Low 3.5

________________________________________________________________________________

Security Notes vs Vulnerability Types- September 2017

Security Notes vs Priority Distribution (April 2017 – September 2017)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 8th August 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply