This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 11th of December 2018, SAP Security Patch Day saw the release of 9 Security Notes. Additionally, there were 3 updates to previously released security notes.
List of security notes released on December Patch Day:
| Note# | Title | Priority | CVSS |
| 2622660 | Update to a security note release on April 2018 Patch day: | Hot News | 9.8 |
| 2711425 | [CVE-2018-2505] Cross-Site Scripting (XSS) vulnerability in SAP Hybris Commerce storefronts | Hot News | 9.3 |
| 2698996 | [CVE-2018-2494] Missing Authorization check in SAP Customizing Tools Product - SAP Basis (“AS ABAP of SAP NetWeaver” 700 to 750, From 750 onwards delivered as “ABAP Platform”), Versions - 7.00 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53 | High | 8.3 |
| 2658279 | [CVE-2018-2503] Wrong default authorizations in AS Java keystore service Product - SAP NetWeaver, Versions - ServerCore (7.11, 7.20, 7.30, 7.31, 7.40, 7.50) | High | 7.4 |
| 2642680 | [CVE-2018-2492] Missing XML Validation in SAP NetWeaver AS Java Product - SAP NetWeaver (Application Server Java Library), Versions - 7.20, 7.30, 7.31 and 7.50 | High | 7.1 |
| 2718993 | [CVE-2018-2504] Cross-Site Scripting using host header in SAP NetWeaver AS Java | Medium | 6.1 |
| 2671160 | Update to a security note release on August 2018 Patch day: [CVE-2018-2441] Missing input validation in ABAP Change and Transport System (CTS) Product - SAP ABAP Change and Transport System (CTS); Versions - SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49, 7.53, 7.73, 7.74 | Medium | 5.5 |
| 2705204 | [CVE-2018-2486] Cross-Site Scripting (XSS) vulnerability in SAP Marketing Content Studio Product - SAP Marketing, Versions - UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14) | Medium | 5.4 |
| 2028904 | Update to a security note release on September 2014 Patch day: | Medium | 5.4 |
| 2680492 | [CVE-2018-2502] Insecure HTTP Method Enabled in SAP Business One Service Layer Product - SAP Business One Service Layer, Version - B1_ON_HANA (9.2, 9.3) | Medium | 5.3 |
| 2707024 | [CVE-2018-2500] Information Disclosure in Mobile Secure Android client Product - SAP Mobile Secure for Android, Version - 6.60.19942.0 SP28 1711 | Medium | 4.0 |
| 2704878 | [CVE-2018-2497] Event not logged in SAP HANA database audit log Product - SAP HANA, Versions - 1.0, 2.0 | Low | 2.7 |
________________________________________________________________________________
Security Notes vs Vulnerability Types - December 2018
Security Notes vs Priority Distribution (July 2018 – December 2018)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 13th November 2018.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.