Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 9th of October 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 4 updates to previously released security notes.

List of security notes released on October Patch Day:

 

Note#TitlePriorityCVSS
2654905

[CVE-2018-2471] Information Disclosure in SAP BusinessObjects BI Suite Client
Product - SAP BusinessObjects Business Intelligence Platform; Version - 4.1, 4.2

Hot News9.8
2622660

Update to Security Note released on April 2018 Patch Day:  
Security updates for the browser control Chromium delivered with SAP Business Client
Product - SAP Business Client; Version - 6.5

Hot News9.8
2699726[CVE-2018-2475] Missing network isolation in Gardener
Product - project “Gardener”; Versions - 0.12.2
High8.5
2674215Denial of service (DOS) in OPC UA applications of SAP Plant Connectivity
Related CVEs - CVE-2018-12585, CVE-2018-12086
Product - SAP Plant Connectivity; Versions - 15.0, 15.1, 15.2
High8.2
2392860Update to Security Note released on February 2017 Patch Day: 
Leveraging privileges by customer transaction code

Product - SAP Records Management; Versions - 7.0 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51
High8.0
2681207Update to Security Note released on September 2018 Patch Day:
[CVE-2018-2465] Missing XML Validation vulnerability in SAP HANA, Extended Application Services classic model
Product - SAP HANA; Versions - 1.0, 2.0
High7.5
2684760[CVE-2018-2470] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages
Product
- SAP Netweaver Application Server for ABAP; Versions - from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53
Medium6.1
2667103[CVE-2018-2472] Cross-Site Scripting (XSS) vulnerability in SAP Web Intelligence DHTML clientRelated
Product - SAP BusinessObjects Business Intelligence Platform, Version - 4.10, 4.20
Medium5.4
2618337

[CVE-2018-2466] Cross-Site Scripting (XSS) vulnerability in SAP Data Services Management Console
Product - SAP Data Services, Version - 4.2

Medium5.4
2665970Update to Security Note released on September 2018 Patch Day: 
Missing XML Validation vulnerability in Plant Connectivity (PCo)
Related CVE - CVE-2017-12069
Product - SAP Plant Connectivity, Version - 15.0
Medium5.3
2623618[CVE-2018-2467] File Path Disclosure in SAP Business Intelligence Software Development Kit
Product - SAP BusinessObjects BI Platform Servers (Software Development Kit); Versions - 4.1, 4.2
Medium5.3
2679789[CVE-2018-2469] Information Disclosure in SAP Adaptive Server Enterprise
Product - SAP Adaptive Server Enterprise (ASE); Versions - 15.7, 16.0
Medium4.9 
2696889[CVE-2018-2474] Cross-Site Request Forgery (CSRF) vulnerability in SAP Approve Leave Request V2 application
Product - SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2), Version - 1.0
Medium4.3
2688018 [CVE-2018-2474] Cross-Site Request Forgery (CSRF) vulnerability in SAP Approve Leave Request V2 application
Product - SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2), Version - 1.0
Medium4.3
2678615 [CVE-2018-2468] Information Disclosure in SAP Adaptive Server Enterprise/Backup Server
Product - SAP Adaptive Server Enterprise (ASE), Version - 15.7, 16.0
Medium4.0 

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - October 2018

 

Security Notes vs Priority Distribution (May 2018 – October 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 11th September 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

 

 

  • No labels