This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 14th of November 2017, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 9 updates to previously released security notes.

List of security notes released on the November Patch Day:

Note#TitlePriorityCVSS
2371726Update to Security Note released on September 2016 Patch Day: Code Injection vulnerability in Text ConversionVery High9.1
2520772Update to Security Note released in September 2017:
Information Disclosure in LaMa 3.0
Very High9.1
2531241Update to Security Note released in September 2017:
Information Disclosure in LVM 2.1 and LaMa 3.0
Very High9.1
2500044Full access to SAP Management ConsoleHigh8.0
2492658Update to Security Note released on September 2017 Patch Day:
Missing XML Validation vulnerability in SAP NetWeaver Java Workflow (JWF)
Medium6.9
1560538Update to Security Note released in May 2011: Missing authorization check in SCM-APO-INTMedium6.3
2374767Cross-Site Scripting (XSS) vulnerability in SAPUI5Medium6.1
2473504Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Analysis Edition for OLAPMedium6.1
2541610
Cross-Site Scripting (XSS) vulnerability in SAP CRM Mail Form EditorMedium6.1
2471209Update to Security Note released on September 2017 Patch Day:
Cross-Site Scripting (XSS) vulnerability in SAPGUI for HTML
Medium6.1
2492999Multiple security vulnerabilities in SAP ERP Learning Solution Content PlayerMedium5.5
2408073
Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note AssistantMedium5.5
2464582Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLFormsMedium5.4
2400292Update to Security Note released on April 2017 Patch Day:
Missing XML Validation vulnerability in TranslationSupport application
Medium5.4
2493171Information Disclosure in SAP NetWeaver Instance Agent ServiceMedium5.3
2546220SNOTE: Digital signature verification along with note file extractionMedium5.3
2508673Information Disclosure in SAP HANA Extended Application Services (XS Advanced)Medium5.0
2535629DLL preload attack possible on NwSapSetup and Installation self extracting programMedium5.0
2372301Update to Security Note released on April 2017 Patch Day:
Missing XML Validation in Composite Application Framework Authorization Tool
Medium4.9
2508767Privilege Escalation after installation of SAP Systems on SAP HANAMedium4.7
2514475Directory Traversal vulnerability in SAP BI Mobile ServerMedium4.3
2485208Log Injection Vulnerability in SAP NetWeaver AS JavaMedium4.3

 

________________________________________________________________________________

Security Notes vs Vulnerability Types – November 2017

Security Notes vs Priority Distribution (June 2017 – November 2017)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 10th October 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

New NetWeaver Information at SAP.com

Very Helpfull

User Rating: Be the first one !