Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 12th of June 2018, SAP Security Patch Day saw the release of 5 Security Notes. Additionally, there were 5 updates to previously released security notes.

List of security notes released on June Patch Day:

 

Note#TitlePriorityCVSS
2622660

Update to Security Note released on April 2018 Patch Day:  
Security updates for 3rd party web browser controls delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5

Hot News9.8
2357141Update to Security Note released on November 2016 Patch Day:  
OS Command Injection vulnerability in Report for Terminology Export
Product - SAP BASIS, Versions - 7.31, 7.40, 7.50, 7.51, 7.65, 7.66
Hot News9.1
2588475[CVE-2018-2425] Information Disclosure in SAP Business One for SAP HANA Backup Service
Product - SAP Business One, Versions - 9.2, 9.3 
High8.4
2626762Code Injection vulnerability in SAP Internet Sales
Related CVE - CVE-2015-0899
Product - SAP Internet Sales, Versions - 7.30,7.31, 7.32, 7.33, 7.54
High7.5
2629535Denial of service (DOS) in Internet Sales
Related CVE - CVE-2014-0050
Product - SAP Internet Sales, Versions - 7.30,7.31, 7.32, 7.33, 7.54
High7.3
2537150Update to Security Note released on April 2018 Patch Day:  
[CVE-2018-2408] Improper Session Management in SAP Business Objects -CMC/BI Launchpad/Fiorified BI Launchpad
Product - SAP Business Objects CMC, BI Launchpad, Friorified BI Launchpad, Versions - 4.0, 4.10, 4.20, 4.30
High7.3
1999142Update to Security Note released on August 2014 Patch Day:  
Potential remote code execution in SAP CrystalReports
Product - SAP Business Objects Enterprise, Versions - 4.0, 4.1
Medium6.6
2538856[CVE-2018-2424] Cross-Site Scripting (XSS) vulnerability in SAPUI5
Product - SAP UI5,
Component - SAP Hana Database, Versions - 1.00, 2.00
Component - SAP UI5, Versions - 1.00
Component - SAP UI5 (Java), Versions - 7.30, 7.31, 7.40, 7,50
Component - SAP UI, Versions - 7.40, 7.50, 7.51, 7.52, and version of 2.0 of SAP UI for SAP NetWeaver 7.00
Medium6.1
2621121[CVE-2018-2428] Information Disclosure in UI5 Handler 
Product - SAP UI5 Handler, 
Component - SAP Infrastructure, Version - 1.0
Component - SAP UI, Versions - 7.4, 7.5, 7.51, 7.52 and version of 2.0 of SAP UI for SAP NetWeaver 7.00
Medium5.3
2597875Update to Security Note released on May 2018 Patch Day:
[CVE-2018-2416] Missing XML Validation vulnerability in SAP Identity Management
Product - SAP Identity Management, Version - 8.0
Medium4.3

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - June 2018

 

Security Notes vs Priority Distribution (January 2017 – June 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 8th May 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

 

  • No labels