SAP Security Patch Day – December 2017
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.
On 12th of December 2017, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 4 updates to previously released security notes.
SAP Security Response Team hereby also announces that SAP is now a CVE Numbering Authority. By using CVE, an industry standard, as a mechanism to disclose patches to vulnerabilities reported by external sources, we enable greater transparency and facilitate faster patch consumption for all SAP Customers. The release of CVE disclosures will be aligned with SAP’s Security Patch day.
List of security notes released on the December Patch Day:
| Note# | Title | Priority | CVSS |
| 2357141 | Update to Security Note released on November 2017 Patch Day: OS Command Injection vulnerability in Report for Terminology Export Product – SAP Netweaver Documentation and Translation tools Software Component – SAP Basis; Versions – 7.31, 7.40, 7.50, 7.51, 7.65, 7.66 |
Very High | |
| 2449757 | [CVE-2017-16689] Additional Authentication check in Trusted RFC on same system Product – Trusted RFC connection Software Components – SAP KERNEL32NUC, KERNEL32Unicode, KERNEL64NUC, KERNEL64Unicode; Versions – 7.21, 7.21EXT, 7.22, 7.22EXT Software Component – SAP KERNEL; Versions – 7.21, 7.22, 7.45, 7.49 |
High | 7.6 |
| 2026174 | Update to Security Note released on August 2014 Patch Day: SBOP solution for Apache Struts1.x Vulnerability CVE-2014-0094 Product – SAP Business Objects Enterprise Software Component – Enterprise; Versions – XI3.1, 4.0, 4.10 |
High | |
| 2537152 | [CVE-2017-16684] Missing Authentication check in SAP BI Promotion Management Application Products – SAP Business Intelligence Promotion Management Application Software Component – Enterprise; Versions – 4.10, 4.20, 4.30 |
High | 7.3 |
| 2537545 | [CVE-2017-16685] Cross-Site Scripting (XSS) vulnerability in SAP BW Universal Data Integration Product – SAP Business Warehouse Universal Data Integration Software Component – BI UDI; Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 6.9 |
| 2457562 | [CVE-2017-16678] Server-Site Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service Product – SAP NetWeaver Knowledge Management Configuration Service Software Components – EPBC, EPBC2; Versions – 7.00, 7.01, 7.02 Software Component – KMC-BC; Versions – 7.30, 7.31, 7.40, 7.50 |
Medium | 6.6 |
| 2531656 | [CVE-2017-16683] Denial of service (DOS) in SAP BusinessObjects Platform Product – SAP Business Objects Platform Software Component – Enterprise; Versions – 4.10, 4.20 |
Medium | 6.5 |
| 2523913 | [CVE-2017-16681] Cross-Site Scripting (XSS) vulnerability in BI Promotion Management Application Product – SAP Business Intelligence Promotion Management Application Software Component – Enterprise; Versions – 4.10, 4.20, 4.30 |
Medium | 6.1 |
| 2408073 | Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note Assistant Product – SAP Note Assistant Software Component – SAP Basis; Versions – from 46A-46D, 6.10 – 6.40, 7.00-7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50-7.52 |
Medium | 5.5 |
| 2520995 |
[CVE-2017-16679] URL Redirection vulnerability in Startup Service Product – SAP Startup Service Software Components – KERNEL32NUC, KERNEL32Unicode, KERNEL64NUC, KERNEL64Unicode; Versions – 7.21, 7.21EXT, 7.22, 7.22EXT Software Component – SAP KERNEL; Versions – 7.21, 7.22, 7.45, 7.49, 7.52 |
Medium | 5.3 |
| 2522510 | [CVE-2017-16680] Potential audit log injection vulnerability in SAP HANA XS Advanced Product – SAP HANA extended application services Software Component – SAP Extended App Services; Versions – 1.0 |
Medium | 5.3 |
| 2549983 | [CVE-2017-16687] Information Disclosure in SAP HANA XS classic user self-service Product – SAP HANA extended application services Software Component – SAP HANA Database; Versions – 1.00, 2.00 |
Medium | 5.3 |
| 2546220 | Update to Security Note released on November 2017 Patch Day: [CVE-2017-16691] SNOTE: Digital signature verification along with note file extraction Product – SAP Note Assistant Software Component – SAP Basis, Versions – 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52 |
Medium | 5.3 |
| 2526781 |
[CVE-2017-16682] Code Injection vulnerability in SAP NetWeaver/ITS Product – SAP Netweaver Internet Transaction Server (ITS) Software Component – SAP Basis; Versions – 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52 |
Medium | 5.1 |
| 2529480 | [CVE-2017-16690] DLL preload attack possible on NwSapSetup and Installation self extracting program for SAP Plant Connectivity Product – SAP Plant Connectivity (PCo) Versions – 2.3, 15.0 |
Medium | 5.0 |
________________________________________________________________________________
Security Notes vs Vulnerability Types – December 2017
Security Notes vs Priority Distribution (July 2017 – December 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 14th November 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.