SAP Security Patch Day – May 2018
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 8th of May 2018, SAP Security Patch Day saw the release of 9 Security Notes. Additionally, there was 1 update to previously released security notes.
We would like to inform our customers that the security notes 2616599, 2615635 released on May Patch Day are expected to be topics of discussion in an upcoming security conference in June. Therefore, we wish to remind you to apply the SAP Security Notes on priority.
List of security notes released on May Patch Day:
| Note# | Title | Priority | CVSS |
| 2615635 | [CVE-2018-2420] Unrestricted File Upload in SAP Internet Graphics Server (IGS) Product – SAP Internet Graphics Server, Versions – 7.20, 7.20EXT, 7.45, 7.45, 7.49, 7.53 |
Medium | 6.5 |
| 2610231 | [CVE-2018-2418] Code Injection Vulnerability in SAP MaxDB ODBC Driver Product – SAP MaxDB ODBC driver, Versions – 7.9.09.07 |
Medium | 5.5 |
| 2601492 | [CVE-2018-2417] Information Disclosure in SAP Identity Management Runtime component Product – SAP Identity Management, Version – 8.0 |
Medium | 5.3 |
| 2616599 | [CVE-2018-2421] Denial of Service in SAP Internet Graphics Server (IGS) Portwatcher Product – SAP Internet Graphics Server, Versions – 7.20, 7.20EXT, 7.45, 7.45, 7.49, 7.53 |
Medium | 5.3 |
| 2617553 | [CVE-2018-2422] Denial of Service in SAP Internet Graphic Server (IGS) Portwatcher Product – SAP Internet Graphics Server, Versions – 7.20, 7.20EXT, 7.45, 7.45, 7.49, 7.53 |
Medium | 5.3 |
| 2620744 | [CVE-2018-2423] Denial of Service in SAP Internet Graphic Server (IGS) RFC listener Product – SAP Internet Graphics Server, Versions – 7.20, 7.20EXT, 7.45, 7.45, 7.49, 7.53 |
Medium | 5.3 |
| 2550202 | [CVE-2018-2415] Content Spoofing Vulnerability in NetWeaver Java AS Web Container and HTTP Service Product – SAP NetWeaver Application Server Java Web Container and HTTP Service Component – Engine API, Versions – from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; Component – J2EE Engine Server Core, Versions – 7.11, 7.30, 7.31, 7.40, 7.50 |
Medium | 4.7 |
| 2597875 | [CVE-2018-2416] Missing XML Validation vulnerability in SAP Identity Management Product – SAP Identity Management, Version – 8.0 |
Medium | 4.3 |
| 2190621 | Update to Security Note released on December 2015 Patch Day: SAP Netweaver SAL incorrect logging of addresses Product – SAP Netweaver Security Audit Logging Versions – 7.21, 7.21EXT, 7.22, 7.22EXT, 7.40, 7.41, 7.42, 7.45, 7.50 |
Medium | 4.3 |
| 2596627 | [CVE-2018-2419] Missing Authorization check in SAP Enterprise Financial Services Product – SAP Enterprise Financial Services Component – SAPSCORE, Versions – 1.11, 1.12 Component – S4CORE, Versions – 1.01, 1.02 Component – EA-FINSERV, Versions – 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 |
Low | 3.7 |
________________________________________________________________________________
Security Notes vs Vulnerability Types – May 2018
Security Notes vs Priority Distribution (December 2017 – May 2018)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 10th April 2018.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.