Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 14th of November 2017, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 9 updates to previously released security notes.

List of security notes released on the November Patch Day:

Note# Title Priority CVSS
2371726 Update to Security Note released on September 2016 Patch Day: Code Injection vulnerability in Text Conversion Very High 9.1
2520772 Update to Security Note released in September 2017:
Information Disclosure in LaMa 3.0
Very High 9.1
2531241 Update to Security Note released in September 2017:
Information Disclosure in LVM 2.1 and LaMa 3.0
Very High 9.1
2500044 Full access to SAP Management Console High 8.0
2492658 Update to Security Note released on September 2017 Patch Day:
Missing XML Validation vulnerability in SAP NetWeaver Java Workflow (JWF)
Medium 6.9
1560538 Update to Security Note released in May 2011: Missing authorization check in SCM-APO-INT Medium 6.3
2374767 Cross-Site Scripting (XSS) vulnerability in SAPUI5 Medium 6.1
2473504 Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Analysis Edition for OLAP Medium 6.1
2541610
Cross-Site Scripting (XSS) vulnerability in SAP CRM Mail Form Editor Medium 6.1
2471209 Update to Security Note released on September 2017 Patch Day:
Cross-Site Scripting (XSS) vulnerability in SAPGUI for HTML
Medium 6.1
2492999 Multiple security vulnerabilities in SAP ERP Learning Solution Content Player Medium 5.5
2408073
Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note Assistant Medium 5.5
2464582 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLForms Medium 5.4
2400292 Update to Security Note released on April 2017 Patch Day:
Missing XML Validation vulnerability in TranslationSupport application
Medium 5.4
2493171 Information Disclosure in SAP NetWeaver Instance Agent Service Medium 5.3
2546220 SNOTE: Digital signature verification along with note file extraction Medium 5.3
2508673 Information Disclosure in SAP HANA Extended Application Services (XS Advanced) Medium 5.0
2535629 DLL preload attack possible on NwSapSetup and Installation self extracting program Medium 5.0
2372301 Update to Security Note released on April 2017 Patch Day:
Missing XML Validation in Composite Application Framework Authorization Tool
Medium 4.9
2508767 Privilege Escalation after installation of SAP Systems on SAP HANA Medium 4.7
2514475 Directory Traversal vulnerability in SAP BI Mobile Server Medium 4.3
2485208 Log Injection Vulnerability in SAP NetWeaver AS Java Medium 4.3

 

________________________________________________________________________________

Security Notes vs Vulnerability Types – November 2017

Security Notes vs Priority Distribution (June 2017 – November 2017)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 10th October 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply