This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 13th of August 2019, SAP Security Patch Day saw the release of 12 Security Notes. There is 1 update to previously released Patch Day Security Notes.
List of security notes released on August Patch Day:
[CVE-2019-0351] Remote Code Execution(RCE) in SAP NetWeaver UDDI Server (Services Registry)Product - SAP NetWeaver UDDI Server (Services Registry); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Update to Security Note released on April 2018 Patch Day:
[CVE-2019-0344] Code Injection vulnerabilities in SAP Commerce Cloud (mediaconversion and virtualjdbc extension)
|2813811||[CVE-2019-0345] Server-Side Request Forgery in SAP NetWeaver Application Server for Java (Administrator System Overview)|
Product - SAP NetWeaver Application Server for Java (Administrator System Overview), Versions - 7.30, 7.31, 7.40, 7.50
|2798243||[CVE-2019-0350] Denial of service (DOS) in SAP HANA database|
Product - SAP HANA Database, Versions - 1.0, 2.0
[CVE-2019-0349] Missing Authorization check in SAP Kernel (ABAP Debugger)Product - SAP Kernel (ABAP Debugger), Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77
[CVE-2019-0333] Information Disclosure in SAP Business Objects Business Intelligence Platform (Web Intelligence and CMC)
[CVE-2019-0337] Cross-Site Scripting (XSS) vulnerability in Java Proxy Runtime of SAP NetWeaver Process Integration
|2771221||[CVE-2019-0334] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BI Workspace)|
Product - SAP BusinessObjects Business Intelligence Platform (BI Workspace), Versions - 4.1, 4.2, 4.3
|2793351||[CVE-2019-0338] Information Disclosure in SAP Gateway|
Product - SAP Gateway, Versions - 750, 751, 752, 753
[CVE-2019-0331] Multiple vulnerabilities In SAP BusinessObjects Business Intelligence Platform (BI Workspace, Infoview and CMC)
|2751470||[CVE-2019-0348] Encryption not enforced in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)|
Product - SAP Business Objects Business Intelligence Platform (Web Intelligence), Versions - 4.1, 4.2
Security Notes vs Vulnerability Types - August 2019
Security Notes vs Priority Distribution (March 2019 – August 2019)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after July 9, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'July 10, 2019 - August 13, 2019' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.