SAP Security Patch Day – June 2019

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 11th of June 2019, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.

We would like to inform our Customers that starting June Patch Day, all new SAP Security Notes with high and very high priority will deliver fix for Support Packages shipped within last 24 months. This is enhanced from previous Support Package coverage of 18 months. Read more.

List of security notes released on June Patch Day:

Note#	Title	Priority	CVSS
2622660	Update to Security Note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client; Version - 6.5	Hot News	9.8
2748699	*Update to Security Note released on May 2019 Patch Day:* [CVE-2019-0291] Information Disclosure in Solution Manager 7.2 / CA Introscope Enterprise Manager Product - Solution Manager, Version - 7.2	High	7.1
2773493	[CVE-2019-0308] Code Injection vulnerability in SAP E-Commerce (Business-to-Consumer) Application Product - SAP E-Commerce (Business-to-Consumer application), Versions - SAP-CRMJAV, SAP-CRMWEB, SAP-SHRWEB, SAP-SHRJAV, SAP-CRMAPP, SAP-SHRAPP 7.30, 7.31, 7.32, 7.33, 7.54	Medium	6.8
2728153	[CVE-2019-0311] Cross Site Scripting (XSS) vulnerability in Automotive Dealer Portal of SAP R/3 Enterprise Application Product - SAP R/3 Enterprise Application, Versions - EA-APPL 600, 602, 603, 604, 605, 606, 616, 617	Medium	6.1
2637997	[CVE-2019-0303] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Administration Console) Product - SAP BusinessObjects Business Intelligence Platform (Administration Console), Versions - 4.2, 4.3	Medium	6.1
2755438	[CVE-2019-0315] Information Disclosure in Integration Builder Framework of SAP NetWeaver Process Integration Product - SAP NetWeaver Process Integration (PI Integration Builder Web UI), Versions - SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, SAP_XIPCK 7.10 to 7.11, 7.20, 7.30	Medium	5.8
2793805	[CVE-2019-0314] Denial of service (DOS) in SAP Work Manager and SAP Inventory Manager Product - SAP Work Manager and SAP Inventory Manager, Versions - SAP Work Manager 6.3.0, 6.4.0, 6.5	Medium	5.5
2719530	[CVE-2019-0304] Code Injection vulnerability in SAP NetWeaver AS ABAP Platform (FTP Function) Product - SAP NetWeaver AS ABAP Platform, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73	Medium	5.5
2744086	[CVE-2019-0312] Information Disclosure in SAP NetWeaver Process Integration Product - SAP NetWeaver Process Integration, Versions - SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50	Medium	5.3
2745917	[CVE-2019-0316] Cross-Site Scripting (XSS) vulnerability in Integration Builder of SAP NetWeaver Process Integration Product - SAP NetWeaver Process Integration, Versions - SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50	Medium	4.8
2755502	[CVE-2019-0305] Clickjacking vulnerability in Integration Builder Framework of SAP NetWeaver Process Integration Product - SAP NetWeaver Process Integration, Versions - SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50	Medium	4.3
2771128	[CVE-2019-0306] Information Disclosure in SAP HANA Extended Application Services (advanced model) Product - SAP HANA Extended Application Services (advanced model), Version - 1	Medium	4.3
2662687	*Update to security note release on January 2019 Patch Day:* [CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services Product - SAP Enterprise Financial Services, Versions - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20	Medium	4.3
2772266	[CVE-2019-0307] Information Disclosure in Solution Manager 7.2 (Diagnostics Agent) Product - Solution Manager (Diagnostics Agent), Versions - 7.2	Low	3.4

________________________________________________________________________________

Security Notes vs Vulnerability Types - June 2019

Security Notes vs Priority Distribution (January 2019 – June 2019)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after May 14, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'May 14, 2019 - June 11, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team