Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 13th of November 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.

List of security notes released on November Patch Day:

 

Note#TitlePriorityCVSS
2681280

Security vulnerability in Spring Framework library used by SAP HANA Streaming Analytics
Related CVEs - CVE-2018-1270, CVE-2018-1275
Product - SAP HANA Streaming Analytics; Version - 2.0

Hot News9.9
2691126

[CVE-2018-2485] Security vulnerabilities in SAP Fiori Client 
Related CVEs - CVE-2018-2488, CVE-2018-2491, CVE-2018-2489, CVE-2018-2490
Product
- SAP Fiori Client

High8.6
2699726Update to Security Note released on October 2018 Patch Day:
[CVE-2018-2475] Missing network isolation in Gardener
Product - project “Gardener”; Version - 0.12.4
High8.5
2701410[CVE-2018-2487] Zip Slip in SAP Disclosure Management
Product - SAP Disclosure Management; Versions - 10.x
High8.0
2657670[CVE-2018-2473] Denial of service (DOS) in Web Intelligence Richclient 3 Tiers Mode
Product - SAP BusinessObjects BI Platform Server; Versions - 4.1, 4.2 
High7.7
2693083

[CVE-2018-2481] Leveraging privileges by customer transaction code
Product
- SAP_ABA; Versions - 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D

High7.6
2675696[CVE-2018-2478] Remote Code Execution on TREX/BWA
Product - SAP Basis (TREX / BWA installation); Versions - 7.0 to 7.02, 710 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53
Medium6.6
2661740[CVE-2018-2477] XML External Entity (XXE) vulnerability in SAP NetWeaver Knowledge Management XMLForms
ProductKnowledge Management (XMLForms) in SAP NetWeaver; Versions - 7.30, 7.31, 7.40 and 7.50
Medium6.5
2630018

Update to Security Note released on August 2018 Patch Day: 
[CVE-2018-2445] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Servers AdminTools
Product - SAP BusinessObjects Business Intelligence; Versions - 4.1, 4.2

Medium6.3
2676094[CVE-2018-2479] Cross-site Scripting vulnerability in BIWorkspace
ProductSAP BusinessObjects Business Intelligence Platform (BIWorkspace); Versions - 4.1, 4.2
Medium6.1
2684760 Update to Security Note released on October 2018 Patch day:
[CVE-2018-2470] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages
Medium6.1
2658755[CVE-2018-2476] URL Redirection vulnerability in "Forums in SAP NetWeaver"
Product - SAP NetWeaver (forums); Versions - 7.30, 7.31 and 7.40
Medium4.7 
2647714[CVE-2018-2483] HTTP Verb Tampering vulnerability in SAP BI CMC
Product - SAP BusinessObjects Business Intelligence Platform; Versions - 4.1, 4.2
Medium4.3
2695896 [CVE-2018-2482] Denial of Service(DoS) in SAP Mobile Secure Android Application
Product - SAP Mobile Secure Android Application; Version - 6.60.19942.0
Medium4.0

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - November 2018

 

Security Notes vs Priority Distribution (June 2018 – November 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 9th October 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels