Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 8th of January 2019, SAP Security Patch Day saw the release of 11 Security Notes. 

List of security notes released on January Patch Day:

 

Note#TitlePriorityCVSS
2696233

[CVE-2019-0246] Multiple Vulnerabilities in SAP Cloud Connector
Related CVE - CVE-2019-0247 (CVSS: 6.0)
Product - SAP Cloud Connector, Versions - before 2.11.3

Hot News9.3
2727624

[CVE-2019-0249] Information Disclosure in SAP Landscape Management
Product - SAP Landscape Management, Versions - VCM 3.0

Hot News9.1
2727623[CVE-2019-0243] Missing Authorization check in SAP BW/4HANA
Product - SAP BW/4HANA, Version - 1.0 (SP08)
High7.1
2699233[CVE-2018-2499] Information Disclosure in SAP Financial Consolidation Cube Designer
Product - SAP Financial Consolidation Cube Designer, Versions - BOBJ_EADES 8.0, 10.1
Medium6.5
2697573[CVE-2019-0238] Cross-Site Scripting (XSS) vulnerability in SAP Commerce (ex. SAP Hybris Commerce)
Product - SAP Commerce (ex. SAP Hybris Commerce), Versions - before 6.7
Medium6.1
2725538

[CVE-2019-0241] Denial of service (DOS) in SAP Work and Inventory Manager
Product - SAP Work Manager, Versions - Agentry_SDK 7.0, 7.1

Medium5.5
2607692[CVE-2019-0245] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI
Product
- SAP CRM WebClient UI, Versions - SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01
Medium5.4
2588763[CVE-2019-0244] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI
Product - SAP CRM WebClient UI, Versions - SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01
Medium5.4 
2724059

[CVE-2019-0240] Denial of service (DOS) in SAP Business Objects Mobile for Android
Product - SAP Business Objects Mobile for Android, Versions - before 6.3.5

Medium4.3
2723142[CVE-2019-0248] Information Disclosure in SAP Gateway of ABAP Application Server
Product - SAP Gateway of ABAP Application Server, Versions - SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5
Medium4.3
2662687 [CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services
Product - SAP Enterprise Financial Services, Versions - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03;
EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20
Medium4.3

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - January 2019

 

Security Notes vs Priority Distribution (August 2018 – January 2019)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after December 11, 2018, go to Launchpad Expert Search → Filter 'SAP Security Notes'  released between 'Dec 12, 2018 - Jan 8, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels