SAP Security Patch Day – September 2017
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.
On 12th of September 2017, SAP Security Patch Day saw the release of 16 Security Notes. Additionally, there was 1 out of band release of Security Note 2520064 and 6 updates to previously released security notes.
The security note 2408073 released today, enables SAP customers to prepare their systems to consume Digitally Signed SAP Notes. For details, refer to this blog. We wish to remind you to apply all SAP Security Notes on a priority.
SAP Security Response Team hereby also announces that SAP plans to become a CVE Numbering Authority by the end of 2017. Using CVE as a mechanism to disclose patches to vulnerabilities reported by external sources, SAP will facilitate faster patch consumption and transparency for all SAP customers.
List of security notes released on the September Patch Day:
| Note# | Title | Priority | CVSS |
| 2476601 | Update to Security Note released on July 2017 Patch Day: Missing Authentication checks in SAP Point of Sale (POS) Retail Xpress Server |
High | 8.1 |
| 2520064 | Out of band Security Note released on 18 Aug, 2017: Missing Authentication checks in SAP Point of Sale (POS) Retail Xpress Server |
High | 8.1 |
| 2367269 | Cross-Site Request Forgery (CSRF) vulnerability in Electronic Ledger Management for Turkey 1.0 | High | 7.6 |
| 2492658 | Missing XML Validation vulnerability in SAP NetWeaver Java Workflow (JWF) | Medium | 6.9 |
| 2507798 | Bypass of email verification in e-recruiting | Medium | 6.5 |
| 2342974 | Arbitrary Valid Certificate Vulnerability in Adobe Document Services | Medium | 6.5 |
| 2491480 | Cross-Site Scripting (XSS) vulnerability in SAP Netweaver Portal | Medium | 6.1 |
| 2488516 | Cross-Site Scripting (XSS) vulnerability in Web Dynpro ABAP | Medium | 6.1 |
| 2471209 | Cross-Site Scripting (XSS) vulnerability in SAPGUI for HTML | Medium | 6.1 |
| 2469860 | Cross-Site Scripting (XSS) vulnerability in Web Dynpro Java | Medium | 6.1 |
| 2464489 | Cross-Site Scripting (XSS) vulnerability in BIWorkspace | Medium | 6.1 |
| 2408073 | Handling of Digitally Signed notes in SAP Note Assistant | Medium | 5.5 |
| 2489196 | Information Disclosure in TREX / BWA | Medium | 5.5 |
| 2365450 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver SLC Sell Side Registration Page | Medium | 5.4 |
| 2444673 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure Cockpit | Medium | 5.4 |
| 2453642 | Update to Security Note released on August 2017 Patch Day: SQL Injection vulnerability in SAP NetWeaver |
Medium | 4.7 |
| 2524134 | Update 1 to 2423540: URL Redirection Vulnerability in SAP NetWeaver Logon Application | Medium | 4.3 |
| 2423540 | Update to Security Note released on August 2017 Patch Day: URL Redirection Vulnerability in SAP NetWeaver Logon Application |
Medium | 4.3 |
| 2484707 | Multiple vulnerabilities In SAP BI mobile application | Medium | 4.1 |
| 2296722 | Update to Security Note released on May 2016 Patch Day: Information Disclosure vulnerability in SAP ASE Installer |
Medium | 4.0 |
| 2374348 | Update to Security Note released on January 2017 Patch Day: Information Disclosure in DBISQL affecting SAP SQL Anywhere, SAP ASE and SAP IQ |
Low | 3.9 |
| 2528596 | Hard-coded Credentials in SAP Point of Sale Store Manager | Low | 3.9 |
| 2483143 | Information Disclosure in SAP NetWeaver Adapter Engine Cache Monitor | Low | 3.5 |
________________________________________________________________________________
Security Notes vs Vulnerability Types- September 2017
Security Notes vs Priority Distribution (April 2017 – September 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 8th August 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.