This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 8th of January 2019, SAP Security Patch Day saw the release of 11 Security Notes.
List of security notes released on January Patch Day:
| Note# | Title | Priority | CVSS |
| 2696233 | [CVE-2019-0246] Multiple Vulnerabilities in SAP Cloud Connector | Hot News | 9.3 |
| 2727624 | [CVE-2019-0249] Information Disclosure in SAP Landscape Management | Hot News | 9.1 |
| 2727623 | [CVE-2019-0243] Missing Authorization check in SAP BW/4HANA Product - SAP BW/4HANA, Version - 1.0 (SP08) | High | 7.1 |
| 2699233 | [CVE-2018-2499] Information Disclosure in SAP Financial Consolidation Cube Designer Product - SAP Financial Consolidation Cube Designer, Versions - BOBJ_EADES 8.0, 10.1 | Medium | 6.5 |
| 2697573 | [CVE-2019-0238] Cross-Site Scripting (XSS) vulnerability in SAP Commerce (ex. SAP Hybris Commerce) Product - SAP Commerce (ex. SAP Hybris Commerce), Versions - before 6.7 | Medium | 6.1 |
| 2725538 | [CVE-2019-0241] Denial of service (DOS) in SAP Work and Inventory Manager | Medium | 5.5 |
| 2607692 | [CVE-2019-0245] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI Product - SAP CRM WebClient UI, Versions - SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01 | Medium | 5.4 |
| 2588763 | [CVE-2019-0244] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI Product - SAP CRM WebClient UI, Versions - SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01 | Medium | 5.4 |
| 2724059 | [CVE-2019-0240] Denial of service (DOS) in SAP Business Objects Mobile for Android | Medium | 4.3 |
| 2723142 | [CVE-2019-0248] Information Disclosure in SAP Gateway of ABAP Application Server Product - SAP Gateway of ABAP Application Server, Versions - SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5 | Medium | 4.3 |
| 2662687 | [CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services Product - SAP Enterprise Financial Services, Versions - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20 | Medium | 4.3 |
________________________________________________________________________________
Security Notes vs Vulnerability Types - January 2019
Security Notes vs Priority Distribution (August 2018 – January 2019)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after December 11, 2018, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'Dec 12, 2018 - Jan 8, 2019' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.