This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 9th of October 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 4 updates to previously released security notes.
List of security notes released on October Patch Day:
| Note# | Title | Priority | CVSS |
| 2654905 | [CVE-2018-2471] Information Disclosure in SAP BusinessObjects BI Suite Client | Hot News | 9.8 |
| 2622660 | Update to Security Note released on April 2018 Patch Day: | Hot News | 9.8 |
| 2699726 | [CVE-2018-2475] Missing network isolation in Gardener Product - project “Gardener”; Versions - 0.12.2 | High | 8.5 |
| 2674215 | Denial of service (DOS) in OPC UA applications of SAP Plant Connectivity Related CVEs - CVE-2018-12585, CVE-2018-12086 Product - SAP Plant Connectivity; Versions - 15.0, 15.1, 15.2 | High | 8.2 |
| 2392860 | Update to Security Note released on February 2017 Patch Day: Leveraging privileges by customer transaction code Product - SAP Records Management; Versions - 7.0 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51 | High | 8.0 |
| 2681207 | Update to Security Note released on September 2018 Patch Day: [CVE-2018-2465] Missing XML Validation vulnerability in SAP HANA, Extended Application Services classic model Product - SAP HANA; Versions - 1.0, 2.0 | High | 7.5 |
| 2684760 | [CVE-2018-2470] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages Product - SAP Netweaver Application Server for ABAP; Versions - from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53 | Medium | 6.1 |
| 2667103 | [CVE-2018-2472] Cross-Site Scripting (XSS) vulnerability in SAP Web Intelligence DHTML clientRelated Product - SAP BusinessObjects Business Intelligence Platform, Version - 4.10, 4.20 | Medium | 5.4 |
| 2618337 | [CVE-2018-2466] Cross-Site Scripting (XSS) vulnerability in SAP Data Services Management Console | Medium | 5.4 |
| 2665970 | Update to Security Note released on September 2018 Patch Day: Missing XML Validation vulnerability in Plant Connectivity (PCo) Related CVE - CVE-2017-12069 Product - SAP Plant Connectivity, Version - 15.0 | Medium | 5.3 |
| 2623618 | [CVE-2018-2467] File Path Disclosure in SAP Business Intelligence Software Development Kit Product - SAP BusinessObjects BI Platform Servers (Software Development Kit); Versions - 4.1, 4.2 | Medium | 5.3 |
| 2679789 | [CVE-2018-2469] Information Disclosure in SAP Adaptive Server Enterprise Product - SAP Adaptive Server Enterprise (ASE); Versions - 15.7, 16.0 | Medium | 4.9 |
| 2696889 | [CVE-2018-2474] Cross-Site Request Forgery (CSRF) vulnerability in SAP Approve Leave Request V2 application Product - SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2), Version - 1.0 | Medium | 4.3 |
| 2688018 | [CVE-2018-2474] Cross-Site Request Forgery (CSRF) vulnerability in SAP Approve Leave Request V2 application Product - SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2), Version - 1.0 | Medium | 4.3 |
| 2678615 | [CVE-2018-2468] Information Disclosure in SAP Adaptive Server Enterprise/Backup Server Product - SAP Adaptive Server Enterprise (ASE), Version - 15.7, 16.0 | Medium | 4.0 |
________________________________________________________________________________
Security Notes vs Vulnerability Types - October 2018
Security Notes vs Priority Distribution (May 2018 – October 2018)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 11th September 2018.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.
SAP Product Security Response Team