This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.
On 10th of October 2017, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 4 updates to previously released security notes.
List of security notes released on the September Patch Day:
|2486657||Update to Security Note released on August 2017 Patch Day:
Directory Traversal vulnerability in SAP NetWeaver AS Java Web Container
|2476937||Potential Denial of Service vulnerability in SAP Standalone Enqueue Server||High||7.5|
|2511453||Possible leakage of sensitive data in SAP Mobile Platform SDK 3.0||Medium||6.9|
|2509284||Memory Corruption vulnerability in SAP NetWeaver Instance Agent Service||Medium||6.6|
|2507798||Update to Security Note released on September 2017 Patch Day: Bypass of email verification in e-recruiting||Medium||6.5|
|2517501||Switchable Authorization checks for SAP ERP Funds Management Account Assignments||Medium||6.3|
|2236258||Missing XML Validation vulnerability in Adobe Document Services||Medium||5.5|
|2519135||Cross-Site Scripting (XSS) vulnerability in SAP CRM Mail Form Editor||Medium||5.4|
|2519622||Email Spoofing vulnerability in SAP CRM IC WebClient||Medium||5.4|
|2480857||Denial of Service in SAP NetWeaver Web Dynpro ABAP||Medium||5.3|
|2504129||Information Disclosure in SAP NetWeaver Instance Agent Service||Medium||5.3|
|2458021||Update to Security Note released on July 2017 Patch Day: Information Disclosure vulnerability in LDAP Authentication for SAP BusinessObjects Enterprise||Medium||5.3|
|2527770||Information Disclosure in SAP NetWeaver System Landscape Directory||Medium||4.3|
|2528596||Update to Security Note released on September 2017 Patch Day: Hard-coded Credentials in SAP Point of Sale Store Manager||Low||3.9|
|2510269||Information disclosure vulnerability in SAP NetWeaver Mobile Client||Low||3.8|
|2532802||Information Disclosure in SAP NetWeaver Mobile Client||Low||3.5|
|2528284||Information Disclosure in SAP NetWeaver Mobile Client||Low||3.3|
Security Notes vs Vulnerability Types- October 2017
Security Notes vs Priority Distribution (May 2017 – October 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 12th September 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.