Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 14th of August 2018, SAP Security Patch Day saw the release of 12 Security Notes. Additionally, there were 2 updates to previously released security notes.

List of security notes released on August Patch Day:

 

Note#TitlePriorityCVSS
2655250

[CVE-2018-2449] Missing Authentication check in SAP SRM MDM Catalog
Product - SAP Supplier Relationship Management Master Data Management Catalog; Versions - 3.73, 7.31, 7.32

High8.6
2644154[CVE-2018-2447] SQL Injection vulnerability in BI Launchpad Web Intelligence
Product - SAP BusinessObjects Business Intelligence Platform; Version - 4.2
High7.7
2614229 Memory Corruption vulnerability in SAP BusinessObjects Business Intelligence platform
Related CVE - CVE-2015-5237
Product - SAP BusinessObjects Business Intellegence Platform; Versions - 4.10, 4.20
High7.5
2660005[CVE-2018-2450] SQL Injection Vulnerability in SAP MaxDB/liveCache
Product - SAP MaxDB (liveCache); Versions - 7.8, 7.9
High7.2
2590705[CVE-2018-2451] Unsecure xs CLI session timeout handling in SAP HANA Extended Application Services, advanced
Product - SAP HANA Extended Application Services; Version - 1
Medium6.6
2630018[CVE-2018-2445] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Servers AdminTools
Product - SAP BusinessObjects Business Intelligence Platform; Versions - 4.1, 4.2 
Medium6.3
2621395[CVE-2018-2444] Cross-Site Scripting (XSS) vulnerability in SAP Financial Consolidation
Product - SAP BusinessObjects Financial Consolidation; Versions - 10.0, 10.1
Medium6.1
2671160[CVE-2018-2441] Missing input validation in ABAP Change and Transport System (CTS)
Product - SAP ABAP Change and Transport System (CTS); Versions - SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode,
SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49, 7.53 and 7.73
Medium5.5
2201710

Update to Security Note released on September 2015 Patch Day:
Fixing Logjam and Alternative chains certificate forgery vulnerabilities in multiple SAP products

Product - Sybase PowerBuilder; Version - 12.6
Product - SMP; Version - 2.3
Product - Agentry; Version - 6.0.54
Product - SAP Open Switch; Version - 15.1
Product - SAP Open Server; Versions - 15.7, 16.0
Product - SDK for SAP ASE; Version - 16.0
Product - SYBASE SOFTWARE DEV KIT; Version - 15.7
Product - SYBASE IQ; Version - 15.4
Product - SAP IQ; Version - 16.0
Product - Sybase SQL Anywhere; Versions - 12.0.1. 16.0
Product - SAP SQL Anywhere; Version - 17.0
Product - SAP SQL Anywhere OnDemand; Version - 1.0
Product - SAP ASE; Versions - 15.7, 16.0
Product - SAP Replication Server; Version - 15.7
Product - SYBASE ECDA; Version - 15.7
Product - SAP Hana smart data streaming; Version - 1
Product - SAP Complex Assembly Manufacturing; Version - 7.0
Product - SAP Data Services; Versions - All versions prior to DS 4.2

Medium5.4
2633846[CVE-2018-2446] Information disclosure vulnerability in BI Query Builder
Product - SAP BusinessObjects Business Intelligence; Versions - 4.1, 4.2
Medium5.3
2653846[CVE-2018-2448] Information Disclosure in SRM MDM Catalog
Product - SRM-MDM CATALOG; Versions - 3.0, 7.01, 7.02
Medium5.3
2653519[CVE-2018-2416] Missing XML Validation vulnerability in SAP Identity Management
Product - SAP Identity Management; Version - 7.2
Medium4.3 
2407193[CVE-2018-2442] Cross-Site Request Forgery (CSRF) in BI Launchpad Web Intelligence
Product - SAP Internet Graphics Server (IGS), Versions - 7.20, 7.20EXT, 7.45, 7.49, 7.53
Medium4.3
2633180 Update to Security Note released on August 2018 Patch Day:
[CVE-2018-2434] Content Spoofing vulnerability in SAP_UI component
Product - Infrastructure for UI add-on for SAP NetWeaver (UI_Infra), SAP UI Implementation for Decoupled Innovations(UI_700):
NW 7.00 Implementation, SAP User Interface Technology (SAP_UI), Versions - UI_Infra 1.0; SAP_UI 7.4, 7.5, 7.51, 7.52; UI_700 2.0
Medium4.3 

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - August 2018

 

Security Notes vs Priority Distribution (March 2018 – August 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 10th July 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

 

 

 

  • No labels