Child pages
  • SAP Security Patch Day – September 2019
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 10th of September 2019, SAP Security Patch Day saw the release of 10 Security Notes. There are 3 update to previously released Patch Day Security Notes.

List of security notes released on September Patch Day:



Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5

Hot News9.8

Update 1 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20

Hot News9.1

Update to Security Note released on July 2019 Patch Day:
[CVE-2019-0330OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20

Hot News9.1 
2798336[CVE-2019-0355Code Injection vulnerability in SAP NetWeaver AS for Java(Web Container)
Product - SAP NetWeaver AS for Java (Web Container)-ENGINEAPI, Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News9.1 
2817491[CVE-2019-0363] Multiple security vulnerabilities in SAP HANA Extended Application Services (Advanced Model)
Additional CVE ID - CVE-2019-0364
 - SAP HANA Extended Application Services, Versions - before 1.0.118

[CVE-2019-0357Privilege escalation in SAP HANA database

Product - SAP HANA, Versions - 1.0, 2.0

Update to Security Note released on August 2018 Patch Day:
[CVE-2018-2445] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Servers AdminTools
Product - SAP BusinessObjects Business Intelligence Platform, Version - 4.1, 4.2 


[CVE-2019-0361Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog)
Product - SAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT), Versions - 3.73, 7.31, 7.32


Multiple Vulnerabilities in SAP Business One (Browser Access Process Monitor and Integration Framework)
Related CVE IDs - CVE-2012-6708, CVE-2018-11784
Product - SAP Business One, Version - 9.3

2786151[CVE-2019-0365Denial of service (DOS) in SAP Kernel (RFC), SAP GUI for Windows and SAP GUI for Java
Product - SAP Kernel (RFC), Versions - KRNL32NUC, KRNL32UC and KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL 7.21, 7.49, 7.53, 7.73, 7.76
2735924[CVE-2019-0352] Improper session management in SAP Business Objects Business Intelligence Platform(CMC)
Product - SAP BusinessObjects Business Intelligence Platform (CMC), Versions - 4.1, 4.2, 4.3

[CVE-2019-0356Information Disclosure in XI Runtime Workbench of SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration Runtime Workbench – MESSAGING and SAP_XIA, Versions - 7.31, 7.40, 7.50

2768864[CVE-2019-0353Information Disclosure in SAP Business One Client
Product - SAP Business One Client, Versions - 9.2, 9.3



Security Notes vs Vulnerability Types - September 2019


Security Notes vs Priority Distribution (April 2019 – September 2019)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after August 13, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'August 14, 2019 - September 10, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels