Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 13th of March 2018, SAP Security Patch Day saw the release of 8 Security Notes. Additionally, there were 2 updates to previously released security notes.

List of security notes released on the March Patch Day:

Note# Title Priority CVSS
2538829 Open Source Software Security Vulnerabilities in SAP Internet Graphics Server (IGS)
Related CVE – CVE-2004-1308CVE-2005-3350CVE-2005-2974
Product – SAP Internet Graphic Server
Versions – 7.20, 7.20_EXT, 7.45, 7.49, 7.53
High 8.8
2587369 [CVE-2018-2402] Potential information disclosure in SAP HANA capture & replay trace file
Product – SAP HANA
Versions – 1.00, 2.00
High 7.6
2596535 [CVE-2018-2400] Information Disclosure in SAP BPA BY REDWOOD
Product – SAP Business Process Automation (BPA) by Redwood
Version – 9.00, 9.10
High 7.5
2580967 [CVE-2018-2398] Information Disclosure in SAP Business Client
Product – SAP Business Client
Version – 6.5
Medium 6.7
1974016 Update to Security Note released on April 2014 Patch Day: Missing authorization check in function modules of BW-SYS-DB-DB4
Product – SAP NetWeaver Business Warehouse
Software Component – SAP_BW_VIRTUAL_COMP, Version – 7.01
Software Component – SAP_BW, Versions – 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40
Medium 6.3
2592807 [CVE-2018-2399] Cross-Site Scripting (XSS) vulnerability in Process Monitoring Infrastructure
Product – Process Monitoring Infrastructure
Versions – from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium 6.1
2550538 [CVE-2018-2397] Cross-Site Scripting (XSS) vulnerability in SAP BI Central Management Console
Product – SAP Business Objects Business Intelligence Platform
Versions – 4.00, 4.10, 4.20, 4.30
Medium 5.4
2596766 [CVE-2018-2401] XML External Entity vulnerability in SAP BPA BY REDWOOD
Product – SAP Business Process Automation (BPA) BY REDWOOD
Version – 9.00
Medium 5.4
2572940 Update to Security Note released on April 2014 Patch Day: [CVE-2018-2369] Information Disclosure in authentication function of SAP HANA
Product – SAP HANA
Versions – 1.00, 1.20
Medium 5.3
2555667 [CVE-2018-2366] Directory Traversal vulnerability in SAP Business Process Automation by Redwood
Product – SAP Business Process Automation (BPA) BY REDWOOD
Versions – 9.00, 9.10
Medium 4.3


Security Notes vs Vulnerability Types – March 2018


Security Notes vs Priority Distribution (October 2017 – March 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: -> All Security Notes -> Filter for notes which have been published after 13th February 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply