SAP Security Patch Day – February 2018
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 13th of February 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.
We would like to inform our customers that two notes (2525222 and 2547431) released on February Patch Day are expected to be topics of discussion in an upcoming security conference in March. Therefore, we wish to remind you to apply the SAP Security Notes on priority.
List of security notes released on the February Patch Day:
| Note# | Title | Priority | CVSS |
| 2525222 | [CVE-2018-2395] Security vulnerabilities in SAP Internet Graphics Server (IGS) Related CVE – CVE-2018-2394, CVE-2018-2396, CVE-2018-2391, CVE-2018-2390, CVE-2018-2386, CVE-2018-2385, CVE-2018-2384, CVE-2018-2393, CVE-2018-2392, CVE-2018-2388, CVE-2018-2383, CVE-2018-2389, CVE-2018-2382, CVE-2018-2387 Product – SAP Internet Graphics Server Versions – 7.20, 7.20EXT, 7.45, 7.49, 7.53 |
High | 8.3 |
| 2565622 | [CVE-2018-2368] Missing Authentication check in SAP NetWeaver System Landscape Directory Product – SAP Netweaver System Landscape Directory Software Component – LM-CORE; Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 |
High | 8.3 |
| 2589129 | [CVE-2018-2374] Security vulnerabilities in SAP HANA Extended Application Services, advanced Related CVE – CVE-2018-2375, CVE-2018-2376, CVE-2018-2379, CVE-2018-2378, CVE-2018-2377, CVE-2018-2372, CVE-2018-2373 Product – SAP HANA Extended Application Services Version – 1.0 |
High | 7.1 |
| 2562089 | [CVE-2018-2367] Directory Traversal vulnerability in ABAP File Interface Product – ABAP File Interface Software Components – SAP BASIS; Versions – from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52 |
Medium | 6.6 |
| 2547431 | [CVE-2018-2380] Directory Traversal vulnerability in Internet Sales Product – SAP CRM Version – 7.01, 7.02, 7.30, 7.31, 7.33, 7.54 |
Medium | 6.6 |
| 2545842 | [CVE-2018-2381] Missing Authorization check in SAP ERP Financials Information System Products – SAP ERP Financials Information System Version – 2.0 |
Medium | 6.3 |
| 2427949 | Update to Security Note released on April 2017 Patch Day: Incorrect Authorization Checks in SAP ERP Logistics Customer Master and Vendor Master Product – SAP ERP Logistics Software Component – SAP_APPL; Versions – 6.00, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18 Software Component – SAPSCORE; Version – 1.08 Software Component – S4CORE; Versions – 1.00, 1.01 |
Medium | 6.3 |
| 2494184 | Update to Security Note released on August 2017 Patch Day: Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products Product – SAP Sybase Software Component – SYBASE REPLICATION SERVER; Version – 15.7.1 Software Component – SIQ; Version – 16.0 Software Components – SY_ESP_SERVER, SYBASE_ESP_ADAPTER_FOR_F.I.X., SYBASE_ESP_ADAP_FOR_OPEN_ADAP, SYBASE_ESP_STUDIO, SY_ESP_ADAPTER_NYSE_TECH_MAMA, SY_ESP_ADAP_TIBCO_RENDEZVOUS, SY_ESP_ADAPTER_ADOBE_FLEX, SY_ESP_ADAP_HTTP_OUTBOUND, SY_ESP_ADAP_LOG_FILE_INPUT, SY_ESP_ADD_IN_MICROSOFT_EXCEL, SY_ESP_ADAP_SL_RTVIEW; Version – 5.1 Software Component – SYBASE_ASE_SERVER; Versions – 15.7, 16.0 Software Component – SYBASE_ASE_CE_SERVER; Version – 15.7 Software Component – SYBASE_SQL_ANYWHERE_SERVER; Versions – SQL_16.0, 17.0 |
Medium | 6.3 |
| 2547977 | [CVE-2018-2365] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver Portal Product – SAP Netweaver Portal Software Component – WebDynpro RunTime; Versions – 7.30, 7.31, 7.40, 7.50 |
Medium | 6.1 |
| 2560741 | [CVE-2018-2371] Cross-Site Scripting (XSS) Vulnerability in SAML 2.0 Service Provider of AS Java Product – SAP Netweaver Java Web Application Version – 7.50 |
Medium | 6.1 |
| 2541700 | [CVE-2018-2364] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI Product – SAP CRM WebClient UI Software Component – SAP CRM WebClient UI; Versions – 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01 Software Component – S4FND; Version – 1.02 |
Medium | 6.1 |
| 2493727 | [CVE-2018-2370] Server Side Request Forgery(SSRF) vulnerability in Central Management Console, BI Launchpad and Fiori BI Launchpad Product – SAP BI Launchpad Versions – 4.10, from 4.20, from 4.30 |
Medium | 5.8 |
| 2408073 | Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note Assistant Software Component – SAP Notes Assistant; Versions – from 46A to 46D, from 610 to 640, from 7.00 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52 |
Medium | 5.5 |
| 2572940 | [CVE-2018-2369] Information Disclosure in authentication function of SAP HANA Product – SAP HANA Software Component – HDB; Versions – 1.00, 2.00 |
Medium | 5.3 |
________________________________________________________________________________
Security Notes vs Vulnerability Types – February 2018
Security Notes vs Priority Distribution (September 2017 – February 2018)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 9th January 2018.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.