Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 10th of October 2017, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 4 updates to previously released security notes.

List of security notes released on the September Patch Day:

Note# Title Priority CVSS
2486657 Update to Security Note released on August 2017 Patch Day:
Directory Traversal vulnerability in SAP NetWeaver AS Java Web Container
High 7.7
2476937 Potential Denial of Service vulnerability in SAP Standalone Enqueue Server High 7.5
2511453 Possible leakage of sensitive data in SAP Mobile Platform SDK 3.0 Medium 6.9
2509284 Memory Corruption vulnerability in SAP NetWeaver Instance Agent Service Medium 6.6
2507798 Update to Security Note released on September 2017 Patch Day: Bypass of email verification in e-recruiting Medium 6.5
2517501 Switchable Authorization checks for SAP ERP Funds Management Account Assignments Medium 6.3
2236258 Missing XML Validation vulnerability in Adobe Document Services Medium 5.5
2519135 Cross-Site Scripting (XSS) vulnerability in SAP CRM Mail Form Editor Medium 5.4
2519622 Email Spoofing vulnerability in SAP CRM IC WebClient Medium 5.4
2480857 Denial of Service in SAP NetWeaver Web Dynpro ABAP Medium 5.3
2504129 Information Disclosure in SAP NetWeaver Instance Agent Service Medium 5.3
2458021 Update to Security Note released on July 2017 Patch Day: Information Disclosure vulnerability in LDAP Authentication for SAP BusinessObjects Enterprise Medium 5.3
2527770 Information Disclosure in SAP NetWeaver System Landscape Directory Medium 4.3
2528596 Update to Security Note released on September 2017 Patch Day: Hard-coded Credentials in SAP Point of Sale Store Manager Low 3.9
2510269 Information disclosure vulnerability in SAP NetWeaver Mobile Client Low 3.8
2532802 Information Disclosure in SAP NetWeaver Mobile Client Low 3.5
2528284 Information Disclosure in SAP NetWeaver Mobile Client Low 3.3

________________________________________________________________________________

Security Notes vs Vulnerability Types- October 2017

Security Notes vs Priority Distribution (May 2017 – October 2017)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 12th September 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply