SAP Security Patch Day – March 2018
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 13th of March 2018, SAP Security Patch Day saw the release of 8 Security Notes. Additionally, there were 2 updates to previously released security notes.
List of security notes released on the March Patch Day:
| Note# | Title | Priority | CVSS |
| 2538829 | Open Source Software Security Vulnerabilities in SAP Internet Graphics Server (IGS) Related CVE – CVE-2004-1308, CVE-2005-3350, CVE-2005-2974 Product – SAP Internet Graphic Server Versions – 7.20, 7.20_EXT, 7.45, 7.49, 7.53 |
High | 8.8 |
| 2587369 | [CVE-2018-2402] Potential information disclosure in SAP HANA capture & replay trace file Product – SAP HANA Versions – 1.00, 2.00 |
High | 7.6 |
| 2596535 | [CVE-2018-2400] Information Disclosure in SAP BPA BY REDWOOD Product – SAP Business Process Automation (BPA) by Redwood Version – 9.00, 9.10 |
High | 7.5 |
| 2580967 | [CVE-2018-2398] Information Disclosure in SAP Business Client Product – SAP Business Client Version – 6.5 |
Medium | 6.7 |
| 1974016 | Update to Security Note released on April 2014 Patch Day: Missing authorization check in function modules of BW-SYS-DB-DB4 Product – SAP NetWeaver Business Warehouse Software Component – SAP_BW_VIRTUAL_COMP, Version – 7.01 Software Component – SAP_BW, Versions – 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 |
Medium | 6.3 |
| 2592807 | [CVE-2018-2399] Cross-Site Scripting (XSS) vulnerability in Process Monitoring Infrastructure Product – Process Monitoring Infrastructure Versions – from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 6.1 |
| 2550538 | [CVE-2018-2397] Cross-Site Scripting (XSS) vulnerability in SAP BI Central Management Console Product – SAP Business Objects Business Intelligence Platform Versions – 4.00, 4.10, 4.20, 4.30 |
Medium | 5.4 |
| 2596766 | [CVE-2018-2401] XML External Entity vulnerability in SAP BPA BY REDWOOD Product – SAP Business Process Automation (BPA) BY REDWOOD Version – 9.00 |
Medium | 5.4 |
| 2572940 | Update to Security Note released on April 2014 Patch Day: [CVE-2018-2369] Information Disclosure in authentication function of SAP HANA Product – SAP HANA Versions – 1.00, 1.20 |
Medium | 5.3 |
| 2555667 | [CVE-2018-2366] Directory Traversal vulnerability in SAP Business Process Automation by Redwood Product – SAP Business Process Automation (BPA) BY REDWOOD Versions – 9.00, 9.10 |
Medium | 4.3 |
________________________________________________________________________________
Security Notes vs Vulnerability Types – March 2018
Security Notes vs Priority Distribution (October 2017 – March 2018)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 13th February 2018.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.