Skip to Content

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 8th of May 2018, SAP Security Patch Day saw the release of 9 Security Notes. Additionally, there was 1 update to previously released security notes.

We would like to inform our customers that the security notes 2616599, 2615635 released on May Patch Day are expected to be topics of discussion in an upcoming security conference in June. Therefore, we wish to remind you to apply the SAP Security Notes on priority.

List of security notes released on May Patch Day:

Note# Title Priority CVSS
2615635 [CVE-2018-2420] Unrestricted File Upload in SAP Internet Graphics Server (IGS)
Product – SAP Internet Graphics Server, Versions – 7.20, 7.20EXT, 7.45, 7.45, 7.49, 7.53
Medium 6.5
2610231 [CVE-2018-2418] Code Injection Vulnerability in SAP MaxDB ODBC Driver 
Product – SAP MaxDB ODBC driver, Versions – 7.9.09.07
Medium 5.5
2601492 [CVE-2018-2417] Information Disclosure in SAP Identity Management Runtime component
Product – SAP Identity Management, Version – 8.0
Medium 5.3
2616599 [CVE-2018-2421] Denial of Service in SAP Internet Graphics Server (IGS) Portwatcher
Product – SAP Internet Graphics Server, Versions – 7.20, 7.20EXT, 7.45, 7.45, 7.49, 7.53
Medium 5.3
2617553 [CVE-2018-2422] Denial of Service in SAP Internet Graphic Server (IGS) Portwatcher
Product – SAP Internet Graphics Server, Versions – 7.20, 7.20EXT, 7.45, 7.45, 7.49, 7.53
Medium 5.3
2620744 [CVE-2018-2423] Denial of Service in SAP Internet Graphic Server (IGS) RFC listener
Product – SAP Internet Graphics Server, Versions – 7.20, 7.20EXT, 7.45, 7.45, 7.49, 7.53
Medium 5.3
2550202 [CVE-2018-2415] Content Spoofing Vulnerability in NetWeaver Java AS Web Container and HTTP Service 
Product – SAP NetWeaver Application Server Java Web Container and HTTP Service
Component – Engine API, Versions – from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50;
Component – J2EE Engine Server Core, Versions – 7.11, 7.30, 7.31, 7.40, 7.50
Medium 4.7
2597875 [CVE-2018-2416] Missing XML Validation vulnerability in SAP Identity Management
Product – SAP Identity Management, Version – 8.0
Medium 4.3
2190621 Update to Security Note released on December 2015 Patch Day:
SAP Netweaver SAL incorrect logging of addresses
Product – SAP Netweaver Security Audit Logging
Versions – 7.21, 7.21EXT, 7.22, 7.22EXT, 7.40, 7.41, 7.42, 7.45, 7.50
Medium 4.3
2596627 [CVE-2018-2419] Missing Authorization check in SAP Enterprise Financial Services
Product – SAP Enterprise Financial Services
Component – SAPSCORE, Versions – 1.11, 1.12
Component – S4CORE, Versions – 1.01, 1.02
Component – EA-FINSERV, Versions – 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0
Low 3.7

________________________________________________________________________________

Security Notes vs Vulnerability Types – May 2018

 

Security Notes vs Priority Distribution (December 2017 – May 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 10th April 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply