This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 14th of May 2019, SAP Security Patch Day saw the release of 8 Security Notes. Additionally, there were 5 updates to previously released security notes.
List of security notes released on May Patch Day:
| Note# | Title | Priority | CVSS |
| 2784307 | [CVE-2019-0301] Privilege Escalation in SAP Identity Management REST Interface Version 2 Product - SAP Identity Management (REST Interface); Version - 2 | High | 8.4 |
| 2737278 | [CVE-2019-0287] Information Disclosure in SAP BusinessObjects Business Intelligence platform / Central Management Server | Medium | 6.3 |
| 2744937 | [CVE-2019-0280] Missing authorization check in SAP Treasury and Risk Management | Medium | 6.3 |
| 2773086 | [CVE-2019-0298] Cross-Site Scripting (XSS) vulnerability in SAP E-Commerce (Business-to-Consumer) application Product - SAP E-Commerce (Business-to-Consumer), Versions - (SAP-CRMJAV SAP-CRMWEB SAP-SHRWEB SAP-SHRJAV SAP-CRMAPP SAP-SHRAPP) 7.30, 7.31, 7.32, 7.33, 7.54 | Medium | 6.1 |
| 2738796 | [CVE-2019-0289] Information Disclosure in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP Product - SAP BusinessObjects Business Intelligence platform, Versions - 4.2, 4.3 | Medium | 5.4 |
| 962319 | Update to security note release on October 2009 Patch Day: | Medium | 5.3 |
| 2756625 | [CVE-2019-0293] Missing Authorization check in check of RFC destinations on SAP Solution Manager and ABAP managed systems | Medium | 5 |
| 1525125 | Update to security note release on December 2010 Patch Day: | Medium | 4.8 |
| 1408081 | Update to security note release on September 2010 Patch Day: | Medium | 4.8 |
| 2664504 | Update 1 to SAP Security Note 1715734 Product - Dbpool of AS JAVA, Versions - 6.40, 7.00, 7.01, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 | Medium | 4.7 |
| 1715734 | Update to security note release on March 2013 Patch Day: Missing authorization check in dbpool administration Product - Dbpool of AS JAVA, Versions - 6.40, 7.00, 7.01, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 | Medium | 4.7 |
| 2748699 | [CVE-2019-0291] Information Disclosure in Solution Manager 7.2 / CA Introscope Enterprise Manager Product - Solution Manager, Version - 7.2 | Medium | 4.3 |
| 2662687 | Update to security note release on January 2019 Patch Day: [CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services Product - SAP Enterprise Financial Services, Versions - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20 | Medium | 4.3 |
________________________________________________________________________________
Security Notes vs Vulnerability Types - May 2019
Security Notes vs Priority Distribution (December 2018 – May 2019)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after April 9, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'Apr 9, 2019 - May 14, 2019' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.
SAP Product Security Response Team