This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 9th of July 2019, SAP Security Patch Day saw the release of 11 Security Notes. There are no updates to previously released Patch Day Security Notes.
List of security notes released on July Patch Day:
| Note# | Title | Priority | CVSS |
| 2808158 | [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent Product - SAP Diagnostic Agent (LM-Service); Version - 7.20 | Hot News | 9.1 |
| 2774489 | [CVE-2019-0328] Code Injection vulnerability in ABAP Tests Modules of SAP NetWeaver Process Integration | High | 8.7 |
| 2781873 | [CVE-2019-0322] Denial of service (DOS) in SAP Commerce Cloud | Medium | 6.5 |
| 2756539 | [CVE-2019-0281] Cross-Site Scripting (XSS) vulnerability in SAPUI5 and OpenUI5 Product - OpenUI5, Versions - <= 1.38.39, <= 1.44.39, <= 1.52.25, <= 1.60.6, <= 1.63.0 | Medium | 6.1 |
| 2804833 | [CVE-2019-0329] Cross-Site Scripting (XSS) vulnerability in SAP Information Steward 4.2 Product - SAP Information Steward, Versions - 4.2 | Medium | 6.1 |
| 2773888 | [CVE-2019-0321] Cross-Site Scripting (XSS) vulnerability in ABAP Server and ABAP Platform Product - ABAP Server and ABAP Platform (SAP Basis), Versions - 7.31, 7.4, 7.5 | Medium | 6.1 |
| 2764733 | [CVE-2019-0326] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace) | Medium | 6.1 |
| 2777910 | [CVE-2019-0327] Unrestricted File Upload vulnerability in SAP NetWeaver AS Java (Web Container) | Medium | 5.9 |
| 2798133 | [CVE-2019-0325] Missing Authorization check in SAP ERP HCM | Medium | 5.4 |
| 2738791 | [CVE-2019-0318] Information disclosure in SAP NetWeaver AS Java (Startup Framework) Product - SAP NetWeaver Application Server for Java (Startup Framework), Versions - 7.21, 7.22, 7.45, 7.49, and 7.53 | Medium | 5.3 |
| 2752614 | [CVE-2019-0319] Content Injection Vulnerability in SAP Gateway Product - SAP Gateway, Versions - 7.5, 7.51, 7.52 and 7.53 | Medium | 4.3 |
________________________________________________________________________________
Security Notes vs Vulnerability Types - July 2019
Security Notes vs Priority Distribution (February 2019 – July 2019)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after June 11, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'June 12, 2019 - July 09, 2019' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at secure@sap.com with all your comments and feedback on this blog post.