Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 14th of May 2019, SAP Security Patch Day saw the release of 8 Security Notes. Additionally, there were 5 updates to previously released security notes.

List of security notes released on May Patch Day:

 

Note#TitlePriorityCVSS
2784307[CVE-2019-0301Privilege Escalation in SAP Identity Management REST Interface Version 2
Product - SAP Identity Management (REST Interface); Version - 2
High8.4
2737278

[CVE-2019-0287Information Disclosure in SAP BusinessObjects Business Intelligence platform / Central Management Server
Product - SAP BusinessObjects Business Intelligence platform (Central Management Server), Versions - 4.20, 4.30

Medium6.3
2744937

[CVE-2019-0280Missing authorization check in SAP Treasury and Risk Management
Product - SAP Treasury and Risk Management, Versions - 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 617, 6.18, 8.0

Medium6.3
2773086[CVE-2019-0298Cross-Site Scripting (XSS) vulnerability in SAP E-Commerce (Business-to-Consumer) application
Product - SAP E-Commerce (Business-to-Consumer), Versions - (SAP-CRMJAV SAP-CRMWEB SAP-SHRWEB SAP-SHRJAV SAP-CRMAPP SAP-SHRAPP) 7.30, 7.31, 7.32, 7.33, 7.54
Medium6.1
2738796[CVE-2019-0289] Information Disclosure in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP
Product - SAP BusinessObjects Business Intelligence platform, Versions - 4.2, 4.3
Medium5.4
962319

Update to security note release on October 2009 Patch Day: 
Detailed error messages with stack trace in Web Dynpro

Product - Web Dynpro Java, Versions - 6.40, 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium5.3
2756625

[CVE-2019-0293Missing Authorization check in check of RFC destinations on SAP Solution Manager and ABAP managed systems
Product -  SAP Solution Manager system (ST-PI), Versions - 2008_1_700, 2008_1_710, and 740

Medium5 
1525125

Update to security note release on December 2010 Patch Day:
Update #1 to Security Note 1408081
Software Component -  KRNL32NUC, Versions - 7.20, 7.20EXT
Software Component -  KRNL32UC, Versions - 7.20, 7.20EXT
Software Component -  KRNL64NUC, Versions - 7.20, 7.20EXT
Software Component -  KRNL64UC, Versions - 7.20, 7.2L, 7.20EXT, 8.00
Software Component -  KERNEL, Versions - 7.20, 7.2L, 8.00

Medium4.8
1408081

Update to security note release on September 2010 Patch Day:
Basic settings for reg_info and sec_info
Software Component -  SAP BASIS, Versions - 46D, 6.40, from 7.00 to 7.02, 7.10, 7.30, 7.31, 7.40

Medium4.8
2664504Update 1 to SAP Security Note 1715734
Product - Dbpool of AS JAVA, Versions - 6.40, 7.00, 7.01, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40
Medium4.7
1715734Update to security note release on March 2013 Patch Day: 
Missing authorization check in dbpool administration
Product - Dbpool of AS JAVA, Versions - 6.40, 7.00, 7.01, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40
Medium4.7
2748699[CVE-2019-0291] Information Disclosure in Solution Manager 7.2 / CA Introscope Enterprise Manager
Product - Solution Manager, Version - 7.2
Medium4.3
2662687Update to security note release on January 2019 Patch Day: 
[
CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services
Product - SAP Enterprise Financial Services, Versions - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; 
EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20
Medium4.3

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - May 2019

 

Security Notes vs Priority Distribution (December 2018 – May 2019)**

 

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after April 9, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes'  released between 'Apr 9, 2019 - May 14, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team


  • No labels