Child pages
  • SAP Security Patch Day – December 2018
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 11th of December 2018, SAP Security Patch Day saw the release of 9 Security Notes. Additionally, there were 3 updates to previously released security notes.

List of security notes released on December Patch Day:



Update to a security note release on April 2018 Patch day:
Security updates for the browser control Chromium delivered with SAP Business Client
Product - SAP Business Client; Version - 6.5

Hot News9.8

[CVE-2018-2505] Cross-Site Scripting (XSS) vulnerability in SAP Hybris Commerce storefronts
Product - SAP Commerce (SAP Hybris Commerce), Versions - 6.2, 6.3, 6.4, 6.5, 6.6, 6.7

Hot News9.3
2698996[CVE-2018-2494] Missing Authorization check in SAP Customizing Tools
Product - SAP Basis (“AS ABAP of SAP NetWeaver” 700 to 750, From 750 onwards delivered as “ABAP Platform”),
Versions - 7.00 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53
2658279[CVE-2018-2503] Wrong default authorizations in AS Java keystore service
Product - SAP NetWeaver, Versions - ServerCore (7.11, 7.20, 7.30, 7.31, 7.40, 7.50)
2642680[CVE-2018-2492] Missing XML Validation in SAP NetWeaver AS Java 
Product - SAP NetWeaver (Application Server Java Library), Versions - 7.20, 7.30, 7.31 and 7.50

[CVE-2018-2504] Cross-Site Scripting using host header in SAP NetWeaver AS Java
Product - SAP NetWeaver AS Java, Versions - ServerCore (7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50)

2671160Update to a security note release on August 2018 Patch day:
[CVE-2018-2441] Missing input validation in ABAP Change and Transport System (CTS)
Product - SAP ABAP Change and Transport System (CTS);
Versions - SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21,
7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49, 7.53, 7.73, 7.74
2705204[CVE-2018-2486] Cross-Site Scripting (XSS) vulnerability in SAP Marketing Content Studio
Product - SAP Marketing, Versions - UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)

Update to a security note release on September 2014 Patch day:
Cross-Frame Scripting protection in SAP ABAP HTTP logon application
Product - SAP_BASIS, Versions - 6.40, 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40

2680492[CVE-2018-2502] Insecure HTTP Method Enabled in SAP Business One Service Layer
Product - SAP Business One Service Layer, Version - B1_ON_HANA (9.2, 9.3)
2707024 [CVE-2018-2500] Information Disclosure in Mobile Secure Android client
Product - SAP Mobile Secure for Android, Version - 6.60.19942.0 SP28 1711
2704878[CVE-2018-2497] Event not logged in SAP HANA database audit log
Product - SAP HANA, Versions - 1.0, 2.0



Security Notes vs Vulnerability Types - December 2018


Security Notes vs Priority Distribution (July 2018 – December 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: -> All Security Notes -> Filter for notes which have been published after 13th November 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels