Downtime Announcement: Please note the SAP Community Wiki will be unavailable due to a system upgrade on Thursday, September 24th between 6 and 7 AM CEST
Product Security Response at SAP
Child pages
  • SAP Security Patch Day – June 2019
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 11th of June 2019, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.

We would like to inform our Customers that starting June Patch Day, all new SAP Security Notes with high and very high priority will deliver fix for Support Packages shipped within last 24 months. This is enhanced from previous Support Package coverage of 18 months. Read more.

List of security notes released on June Patch Day:

 

Note#TitlePriorityCVSS
2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client

Product - SAP Business Client; Version - 6.5		Hot News9.8
2748699

Update to Security Note released on May 2019 Patch Day: 
[CVE-2019-0291] Information Disclosure in Solution Manager 7.2 / CA Introscope Enterprise Manager
Product - Solution Manager, Version - 7.2

High7.1
2773493

[CVE-2019-0308Code Injection vulnerability in SAP E-Commerce (Business-to-Consumer) Application
Product - SAP E-Commerce (Business-to-Consumer application), Versions - SAP-CRMJAV, SAP-CRMWEB, SAP-SHRWEB, SAP-SHRJAV, SAP-CRMAPP, SAP-SHRAPP 7.30, 7.31, 7.32, 7.33, 7.54

Medium6.8
2728153[CVE-2019-0311Cross Site Scripting (XSS) vulnerability in Automotive Dealer Portal of SAP R/3 Enterprise Application
Product - SAP R/3 Enterprise Application, Versions - EA-APPL  600, 602, 603, 604, 605, 606, 616, 617		Medium6.1
2637997[CVE-2019-0303] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Administration Console)
Product - SAP BusinessObjects Business Intelligence Platform (Administration Console), Versions - 4.2, 4.3		Medium6.1
2755438

[CVE-2019-0315] Information Disclosure in Integration Builder Framework of SAP NetWeaver Process Integration

Product - SAP NetWeaver Process Integration (PI Integration Builder Web UI), Versions - SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, SAP_XIPCK 7.10 to 7.11, 7.20, 7.30		Medium5.8
2793805

[CVE-2019-0314Denial of service (DOS) in SAP Work Manager and SAP Inventory Manager
Product -  SAP Work Manager and SAP Inventory Manager, Versions - SAP Work Manager 6.3.0, 6.4.0, 6.5 

Medium5.5 
2719530

[CVE-2019-0304Code Injection vulnerability in SAP NetWeaver AS ABAP Platform (FTP Function)
Product -  SAP NetWeaver AS ABAP Platform, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73

Medium5.5
2744086

[CVE-2019-0312Information Disclosure in SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration, Versions - SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50

Medium5.3
2745917[CVE-2019-0316] Cross-Site Scripting (XSS) vulnerability in Integration Builder of SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration, Versions - SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50 		Medium4.8
2755502[CVE-2019-0305] Clickjacking vulnerability in Integration Builder Framework of SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration, Versions - SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50		Medium4.3
2771128[CVE-2019-0306] Information Disclosure in  SAP HANA Extended Application Services (advanced model)
Product - SAP HANA Extended Application Services (advanced model), Version - 1		Medium4.3
2662687Update to security note release on January 2019 Patch Day: 
[CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services
Product - SAP Enterprise Financial Services, Versions - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; 
EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20		Medium4.3
2772266[CVE-2019-0307] Information Disclosure in Solution Manager 7.2 (Diagnostics Agent)
Product - Solution Manager (Diagnostics Agent), Versions - 7.2		Low3.4

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - June 2019

 

Security Notes vs Priority Distribution (January 2019 – June 2019)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after May 14, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes'  released between 'May 14, 2019 - June 11, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels