Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 12th of February 2019, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 3 updates to previously released security notes.

We would like to inform that the vulnerability fixed by security note 2729710 is expected to be presented by a researcher at a security conference in March 2019. Therefore, we recommend our Customers to apply the SAP Security Note on priority. 

List of security notes released on February Patch Day:

 

Note#TitlePriorityCVSS
2622660

Update to security note release on April 2018 Patch Day:
Security updates for the browser control Chromium delivered with SAP Business Client
Product - SAP Business Client; Version - 6.5

Hot News9.8
2742027

[CVE-2019-0261Missing authentication check in SAP HANA Extended Application Services, advanced model
Product - SAP Landscape Management, Versions - VCM 3.0

Hot News9.4
2729710[CVE-2019-0265XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform
Product - ABAP Platform (SLD Registration), Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73; KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75
High8.7
2724014[CVE-2019-0258] Missing Authorization check in SAP Disclosure Management
Product - SAP Disclosure Management, Version - 10.01
High8.3
2070691

Update to security note release on November 2014 Patch Day:
Potential information disclosure relating to database server file system

Product - Solution Tools Plug-In (ST-PI); Versions - 2008_1_700, 2008_1_710, 740
High7.7
2723570

[CVE-2019-0255ABAP Platform provides access to Easy Access Menu
Product - ABAP Platform, Versions - Krnl64nuc 7.74, krnl64UC 7.73, 7.74, Kernel 7.73, 7.74, 7.75

High7.1
2425129Update to security note release on June 2017 Patch Day:
Missing XML Validation vulnerability in SAP Note Assistant
Product - SAP_BASIS; Versions - 7.00 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51
Medium6.9
2724713[CVE-2019-0266Potential Information Disclosure in SAP HANA Extended Application Services, Advanced Model
Product - SAP HANA Extended Application Services, advanced model (XS advanced), Version - 1.0
Medium6.8 
2706798

[CVE-2019-0254] Cross-Site Scripting (XSS) vulnerability in SAP Disclosure Management
Product - SAP Disclosure Management, Version - 10.01 Stack 1301

Medium6.5
2727564[CVE-2019-0259Unrestricted File Upload vulnerability in BO 4.2/ Visual Difference
Product - SAP BusinessObjects Business Intelligence Platform Servers (Enterprise), Versions - 4.2, 4.3
Medium6.3
2686535 [CVE-2019-0267Cross site request forgery in implementation of Manufacturing Integration and Intelligence 
Product - SAP Manufacturing Integration and Intelligence, Versions - 15.0, 15.1 and 15.2
Medium6.3
2638175 [CVE-2019-0251Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Fiori Launchpad 
Product - SAP BusinessObjects Business Intelligence Platform, Versions - 4.2, 4.3
Medium6.1
2723878 [CVE-2019-0256Information Disclosure in SAP Business One Mobile app for Android 
Product - SAP Business One Mobile Android App, Version - 1.2.12
Medium5.5
2728839 [CVE-2019-0257Missing Authorization check in ABAP Platform 
Product - ABAP Platform (SAP Basis),
Versions - from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75
Medium5.4
2709897 Directory Traversal vulnerability in SAP Enterprise Architecture Designer v1.0 SP04 
Related CVE IDs - CVE-2018-8039, CVE-2018-1002204
Product - SAP Enterprise Architecture Designer for SAP HANA, Versions - 1.0
Medium5
2696714 [CVE-2019-0262Cross-Site Scripting (XSS) vulnerability in WebIntelligence BILaunchPad 
Product - SAP WebIntelligence BILaunchPad (Enterprise), Versions - 4.10, 4.20
Medium4.1

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - February 2019

 

Security Notes vs Priority Distribution (September 2018 – February 2019)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after January 8, 2018, go to Launchpad Expert Search → Filter 'SAP Security Notes'  released between 'Jan 8, 2019 - Feb 12, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels