This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 12th of February 2019, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 3 updates to previously released security notes.
We would like to inform that the vulnerability fixed by security note 2729710 is expected to be presented by a researcher at a security conference in March 2019. Therefore, we recommend our Customers to apply the SAP Security Note on priority.
List of security notes released on February Patch Day:
Update to security note release on April 2018 Patch Day:
[CVE-2019-0261] Missing authentication check in SAP HANA Extended Application Services, advanced model
|2729710||[CVE-2019-0265] XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform|
Product - ABAP Platform (SLD Registration), Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73; KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75
|2724014||[CVE-2019-0258] Missing Authorization check in SAP Disclosure Management|
Product - SAP Disclosure Management, Version - 10.01
Update to security note release on November 2014 Patch Day:
[CVE-2019-0255] ABAP Platform provides access to Easy Access Menu
|2425129||Update to security note release on June 2017 Patch Day: |
Missing XML Validation vulnerability in SAP Note Assistant
Product - SAP_BASIS; Versions - 7.00 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51
|2724713||[CVE-2019-0266] Potential Information Disclosure in SAP HANA Extended Application Services, Advanced Model|
Product - SAP HANA Extended Application Services, advanced model (XS advanced), Version - 1.0
[CVE-2019-0254] Cross-Site Scripting (XSS) vulnerability in SAP Disclosure Management
|2727564||[CVE-2019-0259] Unrestricted File Upload vulnerability in BO 4.2/ Visual Difference|
Product - SAP BusinessObjects Business Intelligence Platform Servers (Enterprise), Versions - 4.2, 4.3
|2686535||[CVE-2019-0267] Cross site request forgery in implementation of Manufacturing Integration and Intelligence |
Product - SAP Manufacturing Integration and Intelligence, Versions - 15.0, 15.1 and 15.2
|2638175||[CVE-2019-0251] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Fiori Launchpad |
Product - SAP BusinessObjects Business Intelligence Platform, Versions - 4.2, 4.3
|2723878||[CVE-2019-0256] Information Disclosure in SAP Business One Mobile app for Android |
Product - SAP Business One Mobile Android App, Version - 1.2.12
|2728839||[CVE-2019-0257] Missing Authorization check in ABAP Platform |
Product - ABAP Platform (SAP Basis),
Versions - from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75
|2709897||Directory Traversal vulnerability in SAP Enterprise Architecture Designer v1.0 SP04 |
Related CVE IDs - CVE-2018-8039, CVE-2018-1002204
Product - SAP Enterprise Architecture Designer for SAP HANA, Versions - 1.0
|2696714||[CVE-2019-0262] Cross-Site Scripting (XSS) vulnerability in WebIntelligence BILaunchPad |
Product - SAP WebIntelligence BILaunchPad (Enterprise), Versions - 4.10, 4.20
Security Notes vs Vulnerability Types - February 2019
Security Notes vs Priority Distribution (September 2018 – February 2019)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after January 8, 2018, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'Jan 8, 2019 - Feb 12, 2019' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.