Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 9th of April 2019, SAP Security Patch Day saw the release of 6 Security Notes. Additionally, there were 3 updates to previously released security notes.

List of security notes released on April Patch Day:

 

Note#TitlePriorityCVSS
2622660Update to security note release on April 2018 Patch Day: 
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client; Version - 6.5
Hot News9.8
2687663

[CVE-2019-0285] Information Disclosure in SAP Crystal Reports
Product - SAP Crystal Reports for Visual Studio, Version - 2010

High7.5
2747683

[CVE-2019-0283SAP NetWeaver Process Integration (Adapter Engine) vulnerable to Digital Signature Spoofing
Product - SAP NetWeaver Process Integration (Adapter Engine), Versions - 710 to 711, 730, 731, 740, 750

High7.1
2729710Update to security note release on February 2019 Patch Day: 
[CVE-2019-0265XML External Entity (XXE) vulnerability in SLD Registration of SAP NetWeaver and ABAP Platform
Product - SAP NetWeaver (SLD Registration), Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KERNEL from 7.21 to 7.22, 7.45, 7.49
Product - ABAP Platform (SLD Registration), Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73; KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75
Medium6
2753629[CVE-2019-0279] Missing Authorization check for ABAP INST function module
Product - SAP BASIS, Version - 700 to 702, 710 to 730, 731, 740, 750 to 753
Medium5.5
2742758

[CVE-2019-0282Information Disclosure in NetWeaver PI Runtime Workbench

Product - SAP NetWeaver Process Integration (Runtime Workbench), Versions - 710 to 711, 730, 731, 740, 750
Medium5.3
2772376

[CVE-2019-0284XML External Entity vulnerability in SAP HANA sldreg
Product - SAP HANA, Versions - 1.0, 2.0

Medium5.1 
2741201[CVE-2019-0278] Information Disclosure in the SAP NetWeaver Process Integration (Messaging System)
Product - SAP NetWeaver Process Integration (Messaging System), Versions - 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium4.3
2662687Update to security note release on January 2019 Patch Day: 
[CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services
Product - SAP Enterprise Financial Services, Version - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; 
EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20
Medium4.3

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - April 2019

 

Security Notes vs Priority Distribution (November 2018 – April 2019)**

 

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after March 12, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes'  released between 'Mar 12, 2019 - Apr 09, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

SAP NetWeaver Process Integration (Messaging System)

  • No labels