This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 10th of April 2018, SAP Security Patch Day saw the release of 10 Security Notes. Additionally, there were 2 updates to previously released security notes.
SAP Product Security Response team would like to bring it to notice that SAP's product, SAP Business Client is integrated with Chromium, an open source rendering engine of Google Chrome web browser. The security note 2622660, released on April Patch day is to update our customers on the vulnerabilities that SAP Business Client inherits from third party web browsers like Google Chromium. The vulnerabilities listed in the security note are found in components delivered by Google. For more information on updates released by Google, please refer here - Chrome 63, Chrome 64, Chrome 65.
List of security notes released on the April Patch Day:
________________________________________________________________________________
Security Notes vs Vulnerability Types - April 2018
Security Notes vs Priority Distribution (November 2017 – April 2018)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 13th March 2018.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.
SAP Product Security Response Team
On 10th of April 2018, SAP Security Patch Day saw the release of 10 Security Notes. Additionally, there were 2 updates to previously released security notes.
SAP Product Security Response team would like to bring it to notice that SAP's product, SAP Business Client is integrated with Chromium, an open source rendering engine of Google Chrome web browser. The security note 2622660, released on April Patch day is to update our customers on the vulnerabilities that SAP Business Client inherits from third party web browsers like Google Chromium. The vulnerabilities listed in the security note are found in components delivered by Google. For more information on updates released by Google, please refer here - Chrome 63, Chrome 64, Chrome 65.
List of security notes released on the April Patch Day:
| Note# | Title | Priority | CVSS |
| 2622660 | Security updates for third party web browser controls delivered with SAP Business Client Product - SAP Business Client, Version - 6.5 | Hot News | 9.8 |
| 2587985 | Denial of Service (DOS) in SAP Business One Related CVE - CVE-2017-7668 Product - SAP Business One, Versions - 9.2, 9.3 | High | 7.5 |
| 2376081 | Update to Security Note released on August 2017 Patch Day: Code Injection vulnerability in Visual Composer 04s iviews Product - SAP Visual Composer, Versions - 7.00, 7.01, 7.02, 7.30, 7.31 | High | 7.4 |
| 2552318 | Update 1 to Security Note 2376081 Product - SAP Visual Composer, Versions - 7.00, 7.01, 7.02, 7.30, 7.31 | High | 7.4 |
| 2537150 | [CVE-2018-2408] Improper Session Management in SAP Business Objects - CMC/BI Launchpad/Fiorified BI Launchpad Product - SAP Business Objects Versions - 4.0, from 4.10, from 4.20, 4.30 | High | 7.3 |
| 2614141 | [CVE-2018-2409] Improper session management when using SAP CP Connectivity Service and Cloud Connector Product - SAP Cloud Platform Connector Version - 2.0 | Medium | 6.3 |
| 2595800 | [CVE-2018-2403] Multiple Security Vulnerabilities in SAP Disclosure Management Related CVEs - CVE-2018-2404, CVE-2018-2412, CVE-2018-2413 Product - SAP Disclosure Management Version - 10.1 | Medium | 5.4 |
| 2372688 | [CVE-2018-2405] Cross-Site Scripting in Solution Manager Incident Management Workcenter Product - SAP Solution Manager Versions - 7.10, 7.20 | Medium | 5.4 |
| 2582870 | [CVE-2018-2410] Cross-Site Scripting (XSS) Vulnerability in SAP Business One Browser Access Product - SAP Business One Version - 9.20, 9.30 | Medium | 5.4 |
| 2201710 | Update to Security Note released on September 2015 Patch Day: Fixing Logjam and Alternative chains certificate forgery vulnerabilities in multiple SAP products Product - Sybase PowerBuilder, Version - 12.6 Product - SMP, Version - 2.3 Product - Agentry, Version - 6.0 Product - SAP Open Switch, Version - 15.1 Product - SAP Open Server, Versions - 15.7, 16.0 Product - SDK for SAP ASE, Version - 16.0 Product - SYBASE SOFTWARE DEV KIT, Version - 15.7 Product - SYBASE IQ, Version - 15.4 Product - SAP IQ, Version - 16.0 Product - Sybase SQL Anywhere, Versions - 12.0.1, 16.0 Product - SAP SQL Anywhere, Version - 17.0 Product - SAP SQL Anywhere OnDemand, Version - 1.0 Product - SAP ASE, Versions - 15.7, 16.0 Product - SAP Replication Server, Version - 15.7 Product - SYBASE ECDA, Version - 15.7 Product - SAP HANA Smart Data Streaming, Version - 1.0 Product - SAP Complex Assembly Manufacturing, Version - 7.2 Product - SAP Data Services, Version - 4.2 | Medium | 5.4 |
| 2560132 | [CVE-2018-2406] Unquoted windows search path vulnerability in Crystal Reports Server, OEM Edition Product - SAP Crystal Reports Server, OEM Edition Versions - 4.0, 4.10, 4.20, 4.30 | Medium | 5.3 |
| 2598687 | Missing XML Validation vulnerability in SAP Control Center and SAP Cockpit Framework Related CVE - CVE-2009-3960 Product - SAP Control Center and SAP Cockpit Framework | Medium | 4.3 |
________________________________________________________________________________
Security Notes vs Vulnerability Types - April 2018
Security Notes vs Priority Distribution (November 2017 – April 2018)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 13th March 2018.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.
SAP Product Security Response Team
- SAP Managed Tags:
4 Comments
| User | Count |
|---|---|
| 5 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 |
