Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 12th of December 2017, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 4 updates to previously released security notes.

SAP Security Response Team hereby also announces that SAP is now a CVE Numbering Authority. By using CVE, an industry standard, as a mechanism to disclose patches to vulnerabilities reported by external sources, we enable greater transparency and facilitate faster patch consumption for all SAP Customers. The release of CVE disclosures will be aligned with SAP’s Security Patch day.

List of security notes released on the December Patch Day:

Note# Title Priority CVSS
2357141 Update to Security Note released on November 2017 Patch Day: OS Command Injection vulnerability in Report for Terminology Export
Product – SAP Netweaver Documentation and Translation tools
Software Component – SAP Basis; Versions – 7.31, 7.40, 7.50, 7.51, 7.65, 7.66
Very High

9.1

2449757 [CVE-2017-16689] Additional Authentication check in Trusted RFC on same system
Product – Trusted RFC connection
Software Components – SAP KERNEL32NUC, KERNEL32Unicode, KERNEL64NUC, KERNEL64Unicode; Versions – 7.21, 7.21EXT, 7.22, 7.22EXT
Software Component – SAP KERNEL; Versions – 7.21, 7.22, 7.45, 7.49
High 7.6
2026174 Update to Security Note released on August 2014 Patch Day: SBOP solution for Apache Struts1.x Vulnerability CVE-2014-0094
Product – SAP Business Objects Enterprise
Software Component – Enterprise; Versions – XI3.1, 4.0, 4.10
High

7.5

2537152 [CVE-2017-16684] Missing Authentication check in SAP BI Promotion Management Application
Products – SAP Business Intelligence Promotion Management Application
Software Component – Enterprise; Versions – 4.10, 4.20, 4.30
High 7.3
2537545 [CVE-2017-16685] Cross-Site Scripting (XSS) vulnerability in SAP BW Universal Data Integration
Product – SAP Business Warehouse Universal Data Integration
Software Component – BI UDI; Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium 6.9
2457562 [CVE-2017-16678] Server-Site Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service
Product – SAP NetWeaver Knowledge Management Configuration Service
Software Components – EPBC, EPBC2; Versions – 7.00, 7.01, 7.02
Software Component – KMC-BC; Versions – 7.30, 7.31, 7.40, 7.50
Medium 6.6
2531656 [CVE-2017-16683] Denial of service (DOS) in SAP BusinessObjects Platform
Product – SAP Business Objects Platform
Software Component – Enterprise; Versions – 4.10, 4.20
Medium 6.5
2523913 [CVE-2017-16681] Cross-Site Scripting (XSS) vulnerability in BI Promotion Management Application
Product – SAP Business Intelligence Promotion Management Application
Software Component – Enterprise; Versions – 4.10, 4.20, 4.30
Medium 6.1
2408073 Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note Assistant
Product – SAP Note Assistant
Software Component – SAP Basis; Versions – from 46A-46D, 6.10 – 6.40, 7.00-7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50-7.52
Medium 5.5
2520995
[CVE-2017-16679] URL Redirection vulnerability in Startup Service
Product – SAP Startup Service
Software Components – KERNEL32NUC, KERNEL32Unicode, KERNEL64NUC, KERNEL64Unicode; Versions – 7.21, 7.21EXT, 7.22, 7.22EXT
Software Component – SAP KERNEL; Versions – 7.21, 7.22, 7.45, 7.49, 7.52
Medium 5.3
2522510 [CVE-2017-16680] Potential audit log injection vulnerability in SAP HANA XS Advanced
Product – SAP HANA extended application services
Software Component – SAP Extended App Services; Versions – 1.0
Medium 5.3
2549983 [CVE-2017-16687] Information Disclosure in SAP HANA XS classic user self-service
Product – SAP HANA extended application services
Software Component – SAP HANA Database; Versions – 1.00, 2.00
Medium 5.3
2546220 Update to Security Note released on November 2017 Patch Day:
[CVE-2017-16691] SNOTE: Digital signature verification along with note file extraction
Product – SAP Note Assistant
Software Component – SAP Basis, Versions – 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52
Medium 5.3
2526781
[CVE-2017-16682] Code Injection vulnerability in SAP NetWeaver/ITS
Product – SAP Netweaver Internet Transaction Server (ITS)
Software Component – SAP Basis; Versions – 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52
Medium 5.1
2529480 [CVE-2017-16690] DLL preload attack possible on NwSapSetup and Installation self extracting program for SAP Plant Connectivity
Product – SAP Plant Connectivity (PCo)
Versions – 2.3, 15.0
Medium 5.0

 

________________________________________________________________________________

Security Notes vs Vulnerability Types – December 2017

Security Notes vs Priority Distribution (July 2017 – December 2017)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 14th November 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply