This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 11th of June 2019, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.
We would like to inform our Customers that starting June Patch Day, all new SAP Security Notes with high and very high priority will deliver fix for Support Packages shipped within last 24 months. This is enhanced from previous Support Package coverage of 18 months. Read more.
List of security notes released on June Patch Day:
Update to Security Note released on April 2018 Patch Day:
Update to Security Note released on May 2019 Patch Day:
[CVE-2019-0308] Code Injection vulnerability in SAP E-Commerce (Business-to-Consumer) Application
|2728153||[CVE-2019-0311] Cross Site Scripting (XSS) vulnerability in Automotive Dealer Portal of SAP R/3 Enterprise Application|
Product - SAP R/3 Enterprise Application, Versions - EA-APPL 600, 602, 603, 604, 605, 606, 616, 617
|2637997||[CVE-2019-0303] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Administration Console)|
Product - SAP BusinessObjects Business Intelligence Platform (Administration Console), Versions - 4.2, 4.3
[CVE-2019-0315] Information Disclosure in Integration Builder Framework of SAP NetWeaver Process IntegrationProduct - SAP NetWeaver Process Integration (PI Integration Builder Web UI), Versions - SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, SAP_XIPCK 7.10 to 7.11, 7.20, 7.30
[CVE-2019-0314] Denial of service (DOS) in SAP Work Manager and SAP Inventory Manager
[CVE-2019-0304] Code Injection vulnerability in SAP NetWeaver AS ABAP Platform (FTP Function)
[CVE-2019-0312] Information Disclosure in SAP NetWeaver Process Integration
|2745917||[CVE-2019-0316] Cross-Site Scripting (XSS) vulnerability in Integration Builder of SAP NetWeaver Process Integration|
Product - SAP NetWeaver Process Integration, Versions - SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50
|2755502||[CVE-2019-0305] Clickjacking vulnerability in Integration Builder Framework of SAP NetWeaver Process Integration|
Product - SAP NetWeaver Process Integration, Versions - SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
|2771128||[CVE-2019-0306] Information Disclosure in SAP HANA Extended Application Services (advanced model)|
Product - SAP HANA Extended Application Services (advanced model), Version - 1
|2662687||Update to security note release on January 2019 Patch Day: |
[CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services
Product - SAP Enterprise Financial Services, Versions - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03;
EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20
|2772266||[CVE-2019-0307] Information Disclosure in Solution Manager 7.2 (Diagnostics Agent)|
Product - Solution Manager (Diagnostics Agent), Versions - 7.2
Security Notes vs Vulnerability Types - June 2019
Security Notes vs Priority Distribution (January 2019 – June 2019)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after May 14, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'May 14, 2019 - June 11, 2019' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.