This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 9th of April 2019, SAP Security Patch Day saw the release of 6 Security Notes. Additionally, there were 3 updates to previously released security notes.
List of security notes released on April Patch Day:
| Note# | Title | Priority | CVSS |
| 2622660 | Update to security note release on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client; Version - 6.5 | Hot News | 9.8 |
| 2687663 | [CVE-2019-0285] Information Disclosure in SAP Crystal Reports | High | 7.5 |
| 2747683 | [CVE-2019-0283] SAP NetWeaver Process Integration (Adapter Engine) vulnerable to Digital Signature Spoofing | High | 7.1 |
| 2729710 | Update to security note release on February 2019 Patch Day: [CVE-2019-0265] XML External Entity (XXE) vulnerability in SLD Registration of SAP NetWeaver and ABAP Platform Product - SAP NetWeaver (SLD Registration), Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KERNEL from 7.21 to 7.22, 7.45, 7.49 Product - ABAP Platform (SLD Registration), Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73; KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75 | Medium | 6 |
| 2753629 | [CVE-2019-0279] Missing Authorization check for ABAP INST function module Product - SAP BASIS, Version - 700 to 702, 710 to 730, 731, 740, 750 to 753 | Medium | 5.5 |
| 2742758 | [CVE-2019-0282] Information Disclosure in NetWeaver PI Runtime Workbench Product - SAP NetWeaver Process Integration (Runtime Workbench), Versions - 710 to 711, 730, 731, 740, 750 | Medium | 5.3 |
| 2772376 | [CVE-2019-0284] XML External Entity vulnerability in SAP HANA sldreg | Medium | 5.1 |
| 2741201 | [CVE-2019-0278] Information Disclosure in the SAP NetWeaver Process Integration (Messaging System) Product - SAP NetWeaver Process Integration (Messaging System), Versions - 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 | Medium | 4.3 |
| 2662687 | Update to security note release on January 2019 Patch Day: [CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services Product - SAP Enterprise Financial Services, Version - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20 | Medium | 4.3 |
________________________________________________________________________________
Security Notes vs Vulnerability Types - April 2019
Security Notes vs Priority Distribution (November 2018 – April 2019)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after March 12, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'Mar 12, 2019 - Apr 09, 2019' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.
SAP Product Security Response Team
SAP NetWeaver Process Integration (Messaging System)