Skip to Content
Author's profile photo Aditi Kulkarni

SAP Security Patch Day – April 2018

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 10th of April 2018, SAP Security Patch Day saw the release of 10 Security Notes. Additionally, there were 2 updates to previously released security notes.

SAP Product Security Response team would like to bring it to notice that SAP’s product, SAP Business Client is integrated with Chromium, an open source rendering engine of Google Chrome web browser. The security note 2622660, released on April Patch day is to update our customers on the vulnerabilities that SAP Business Client inherits from third party web browsers like Google Chromium. The vulnerabilities listed in the security note are found in components delivered by Google. For more information on updates released by Google, please refer here – Chrome 63, Chrome 64, Chrome 65.

List of security notes released on the April Patch Day:

Note# Title Priority CVSS
2622660 Security updates for third party web browser controls delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5
Hot News 9.8
2587985 Denial of Service (DOS) in SAP Business One
Related CVE – CVE-2017-7668
Product – SAP Business One, Versions – 9.2, 9.3
High 7.5
2376081 Update to Security Note released on August 2017 Patch Day: Code Injection vulnerability in Visual Composer 04s iviews
Product – SAP Visual Composer, Versions – 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2552318 Update 1 to Security Note 2376081
Product – SAP Visual Composer, Versions – 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2537150 [CVE-2018-2408] Improper Session Management in SAP Business Objects – CMC/BI Launchpad/Fiorified BI Launchpad
Product – SAP Business Objects
Versions – 4.0, from 4.10, from 4.20, 4.30
High 7.3
2614141 [CVE-2018-2409] Improper session management when using SAP CP Connectivity Service and Cloud Connector
Product – SAP Cloud Platform Connector
Version – 2.0
Medium 6.3
2595800 [CVE-2018-2403] Multiple Security Vulnerabilities in SAP Disclosure Management
Related CVEs – CVE-2018-2404, CVE-2018-2412, CVE-2018-2413
Product – SAP Disclosure Management
Version – 10.1
Medium 5.4
2372688 [CVE-2018-2405] Cross-Site Scripting in Solution Manager Incident Management Workcenter
Product – SAP Solution Manager
Versions – 7.10, 7.20
Medium 5.4
2582870 [CVE-2018-2410] Cross-Site Scripting (XSS) Vulnerability in SAP Business One Browser Access
Product – SAP Business One
Version – 9.20, 9.30
Medium 5.4
2201710 Update to Security Note released on September 2015 Patch Day: Fixing Logjam and Alternative chains certificate forgery vulnerabilities in multiple SAP products
Product – Sybase PowerBuilder, Version – 12.6
Product – SMP, Version – 2.3
Product – Agentry, Version – 6.0
Product – SAP Open Switch, Version – 15.1
Product – SAP Open Server, Versions – 15.7, 16.0
Product – SDK for SAP ASE, Version – 16.0
Product – SYBASE SOFTWARE DEV KIT, Version – 15.7
Product – SYBASE IQ, Version – 15.4
Product – SAP IQ, Version – 16.0
Product – Sybase SQL Anywhere, Versions – 12.0.1, 16.0
Product – SAP SQL Anywhere, Version – 17.0
Product – SAP SQL Anywhere OnDemand, Version – 1.0
Product – SAP ASE, Versions – 15.7, 16.0
Product – SAP Replication Server, Version – 15.7
Product – SYBASE ECDA, Version – 15.7
Product – SAP HANA Smart Data Streaming, Version – 1.0
Product – SAP Complex Assembly Manufacturing, Version – 7.2
Product – SAP Data Services, Version – 4.2
Medium 5.4
2560132 [CVE-2018-2406] Unquoted windows search path vulnerability in Crystal Reports Server, OEM Edition
Product – SAP Crystal Reports Server, OEM Edition
Versions – 4.0, 4.10, 4.20, 4.30
Medium 5.3
2598687 Missing XML Validation vulnerability in SAP Control Center and SAP Cockpit Framework
Related CVECVE-2009-3960
Product – SAP Control Center and SAP Cockpit Framework
Medium 4.3


Security Notes vs Vulnerability Types – April 2018


Security Notes vs Priority Distribution (November 2017 – April 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: -> All Security Notes -> Filter for notes which have been published after 13th March 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at with all your comments and feedback on this blog post.

SAP Product Security Response Team

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Frank Buchholz
      Frank Buchholz

      Instead of using to retrieve the complete list of new or changed Security Notes since the previous Patch Day you can use -> „Expert Search“ instead. Here you can choose a date range for „Released On (Free)“ = „Range starting 1 day after previous Patch Day" together with a filter for „Document Type“ = „SAP Security Note“.

      For the date range 14.03.2018 - 10.04.2018 you get 16 new or changed Security Notes.

      Author's profile photo Jelena Perfiljeva
      Jelena Perfiljeva

      I don't mean no disrespect but why is this posted as an SCN blog? There is no personal narrative or story of any kind...

      If some SAP customers are having trouble locating these security notes in the Support Portal then an effort should be made to improve that tool instead of offering a blog as some kind of "communication crutch". Actually I'm not sure how anyone could possibly miss it in the Launchpad - the tile is right there on the default home screen.

      In the short term, the duplication of Support Portal seems unnecessary as this information is already available there (and a great search tip from Frank Buchholz ). And in the long term, I'm having trouble seeing a value of this information beyond next month.

      If posting this as a blog, maybe at least add some story. Something like this:

      As soon as I poured the first cup of coffee in the morning, the manager showed up at my desk. "Hey, Aditi, what's happening?" he inquired, taking a sip from a large cup. "Listen, we are going to need you to go ahead and come in on Saturday" he continued, without waiting for an answer. "Another hacker wannabe discovered some security hole. By the way, don't forget about the new cover sheet for the TPS reports". I had to squeeze my red stapler very hard as he turned around and left. "This is such a great company to work for", I thought.


      Author's profile photo Colleen Hebbert
      Colleen Hebbert

      blogs on the background story of the vulnerability would be worth reading. You could really add the drama of how the person investigating got to the root cause and take it from there

      Author's profile photo Jelena Perfiljeva
      Jelena Perfiljeva

      My point exactly. This subject should lend itself easily to storytelling. And it's much more interesting what is behind the scenes of such notes.