This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 10th of July 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 5 updates to previously released security notes.
List of security notes released on July Patch Day:
| Note# | Title | Priority | CVSS |
| 2622660 | Update to Security Note released on April 2018 Patch Day: | Hot News | 9.8 |
| 2629535 | Update to Security Note released on June 2018 Patch Day: Denial of service (DOS) in Internet Sales Related CVE - CVE-2014-0050 Product - SAP Internet Sales, Versions - 7.30,7.31, 7.32, 7.33, 7.54 | High | 7.3 |
| 2537150 | Update to Security Note released on April 2018 Patch Day: [CVE-2018-2408] Improper Session Management in SAP Business Objects -CMC/BI Launchpad/Fiorified BI Launchpad Product – SAP Business Objects, Versions – 4.0, from 4.10, from 4.20, 4.30 | High | 7.3 |
| 1999142 | Update to Security Note released on August 2014 Patch Day: Potential remote code execution in SAP CrystalReports Product - SAP Crystal Reports, version for Visual Studio .NET, Version – 2010 | Medium | 6.6 |
| 2652578 | [CVE-2018-2436] Missing Authorization check in Function Module WRCK_STORE_LOESCH_KONSISTENZ Product - SAP R/3 Enterprise Retail, Version - EHP6 | Medium | 6.4 |
| 2620738 | [CVE-2018-2427] Code Injection vulnerability in SAP CrystalReports Product - SAP CrystalReports, Component - version for Visual Studio .NET, Version - 2010 Component - SAP BusinessObjects Business Intelligence Suite, Versions - 4.10, 4.20 | Medium | 6.3 |
| 2643126 | [CVE-2018-2435] Cross-site Scripting (XSS) in SAP NetWeaver Enterprise Portal Product - SAP Business Objects Enterprise, Versions - 4.0, 4.1 | Medium | 6.1 |
| 2624762 | [CVE-2018-2431] Cross-Site Scripting (XSS) vulnerability in SAP CrystalReports Product - SAP BusinessObjects Business Intelligence Suite, Versions - 4.10, 4.20 | Medium | 6.1 |
| 2597913 | [CVE-2018-2433] Denial of Service (DOS) in SAP Gateway Product - SAP Gateway, Versions - SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.53 | Medium | 5.9 |
| 2610231 | Update to Security Note released on May 2018 Patch Day: [CVE-2018-2418] Code Injection Vulnerability in SAP MaxDB ODBC Driver Product – SAP MaxDB ODBC driver, Versions – 7.9.09.07 | Medium | 5.5 |
| 2644238 | [CVE-2018-2438] Denial of service (DOS) in SAP Internet Graphics Server (IGS) Product - SAP Internet Graphics Server (IGS), Versions - 7.20, 7.20EXT, 7.45, 7.49, 7.53 | Medium | 5.3 |
| 2644227 | [CVE-2018-2437] Unauthorized Command execution in SAP Internet Graphics Server (IGS) Product - SAP Internet Graphics Server (IGS), Versions - 7.20, 7.20EXT, 7.45, 7.49, 7.53 | Medium | 4.8 |
| 2644147 | [CVE-2018-2439] Code Injection vulnerability in SAP Internet Graphics Server (IGS) Product - SAP Internet Graphics Server (IGS), Versions - 7.20, 7.20EXT, 7.45, 7.49, 7.53 | Medium | 4.7 |
| 2664767 | [CVE-2018-2440] Sensitive Information Exposure in SAP Dynamic Authorization Management by NextLabs Product - SAP Dynamic Authorization Management (DAM) by NextLabs (Java Policy Controller), Versions - 7.7 and 8.5 | Medium | 4.4 |
| 2523290 | [CVE-2018-2432] Header Manipulation vulnerability in BI LaunchPad and CMC Product - SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console), Versions - 4.1, 4.2, 4.3 | Medium | 4.3 |
| 2633180 | [CVE-2018-2434] Content Spoofing vulnerability in SAP_UI component Product - Infrastructure for UI add-on for SAP NetWeaver (UI_Infra), SAP UI Implementation for Decoupled Innovations(UI_700): NW 7.00 Implementation, SAP User Interface Technology (SAP_UI), Versions - UI_Infra 1.0; SAP_UI 7.4, 7.5, 7.51, 7.52; UI_700 2.0 | Medium | 4.3 |
________________________________________________________________________________
Security Notes vs Vulnerability Types - July 2018
Security Notes vs Priority Distribution (February 2018 – July 2018)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 10th June 2018.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.
SAP Product Security Response Team