Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 13th of February 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.

We would like to inform our customers that two notes (2525222 and 2547431) released on February Patch Day are expected to be topics of discussion in an upcoming security conference in March. Therefore, we wish to remind you to apply the SAP Security Notes on priority.

List of security notes released on the February Patch Day:

Note# Title Priority CVSS
2525222 [CVE-2018-2395] Security vulnerabilities in SAP Internet Graphics Server (IGS)
Related CVE – CVE-2018-2394CVE-2018-2396CVE-2018-2391CVE-2018-2390CVE-2018-2386CVE-2018-2385CVE-2018-2384CVE-2018-2393CVE-2018-2392, CVE-2018-2388CVE-2018-2383CVE-2018-2389CVE-2018-2382CVE-2018-2387
Product – SAP Internet Graphics Server
Versions – 7.20, 7.20EXT, 7.45, 7.49, 7.53
High 8.3
2565622 [CVE-2018-2368] Missing Authentication check in SAP NetWeaver System Landscape Directory
Product – SAP Netweaver System Landscape Directory
Software Component – LM-CORE; Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40
High 8.3
2589129 [CVE-2018-2374] Security vulnerabilities in SAP HANA Extended Application Services, advanced
Related CVE – CVE-2018-2375CVE-2018-2376CVE-2018-2379CVE-2018-2378CVE-2018-2377CVE-2018-2372CVE-2018-2373
Product – SAP HANA Extended Application Services
Version – 1.0
High 7.1
2562089 [CVE-2018-2367] Directory Traversal vulnerability in ABAP File Interface
Product – ABAP File Interface
Software Components – SAP BASIS; Versions – from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52
Medium 6.6
2547431 [CVE-2018-2380] Directory Traversal vulnerability in Internet Sales
Product – SAP CRM
Version – 7.01, 7.02, 7.30, 7.31, 7.33, 7.54
Medium 6.6
2545842 [CVE-2018-2381] Missing Authorization check in SAP ERP Financials Information System
Products – SAP ERP Financials Information System
Version – 2.0
Medium 6.3
2427949 Update to Security Note released on April 2017 Patch Day:
Incorrect Authorization Checks in SAP ERP Logistics Customer Master and Vendor Master
Product – SAP ERP Logistics
Software Component – SAP_APPL; Versions – 6.00, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18
Software Component – SAPSCORE; Version – 1.08
Software Component – S4CORE; Versions – 1.00, 1.01
Medium 6.3
2494184 Update to Security Note released on August 2017 Patch Day:
Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products
Product – SAP Sybase
Software Component – SYBASE REPLICATION SERVER; Version – 15.7.1
Software Component – SIQ; Version – 16.0
Software Components – SY_ESP_SERVER, SYBASE_ESP_ADAPTER_FOR_F.I.X., SYBASE_ESP_ADAP_FOR_OPEN_ADAP, SYBASE_ESP_STUDIO, SY_ESP_ADAPTER_NYSE_TECH_MAMA, SY_ESP_ADAP_TIBCO_RENDEZVOUS, SY_ESP_ADAPTER_ADOBE_FLEX, SY_ESP_ADAP_HTTP_OUTBOUND, SY_ESP_ADAP_LOG_FILE_INPUT, SY_ESP_ADD_IN_MICROSOFT_EXCEL, SY_ESP_ADAP_SL_RTVIEW; Version – 5.1
Software Component – SYBASE_ASE_SERVER; Versions – 15.7, 16.0
Software Component – SYBASE_ASE_CE_SERVER; Version – 15.7
Software Component – SYBASE_SQL_ANYWHERE_SERVER; Versions – SQL_16.0, 17.0
Medium 6.3
2547977 [CVE-2018-2365] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver Portal
Product – SAP Netweaver Portal
Software Component – WebDynpro RunTime; Versions – 7.30, 7.31, 7.40, 7.50
Medium 6.1
2560741 [CVE-2018-2371] Cross-Site Scripting (XSS) Vulnerability in SAML 2.0 Service Provider of AS Java
Product – SAP Netweaver Java Web Application
Version – 7.50
Medium 6.1
2541700 [CVE-2018-2364] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI
Product – SAP CRM WebClient UI
Software Component – SAP CRM WebClient UI; Versions – 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01
Software Component – S4FND; Version – 1.02
Medium 6.1
2493727 [CVE-2018-2370] Server Side Request Forgery(SSRF) vulnerability in Central Management Console, BI Launchpad and Fiori BI Launchpad
Product – SAP BI Launchpad
Versions – 4.10, from 4.20, from 4.30
Medium 5.8
2408073 Update to Security Note released on September 2017 Patch Day:
Handling of Digitally Signed notes in SAP Note Assistant

Software Component – SAP Notes Assistant; Versions – from 46A to 46D, from 610 to 640, from 7.00 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52
Medium 5.5
2572940 [CVE-2018-2369] Information Disclosure in authentication function of SAP HANA
Product – SAP HANA
Software Component – HDB; Versions – 1.00, 2.00
Medium 5.3

________________________________________________________________________________

Security Notes vs Vulnerability Types – February 2018

 

Security Notes vs Priority Distribution (September 2017 – February 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 9th January 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply