Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 8th of October 2019, SAP Security Patch Day saw the release of 7 Security Notes. There is 1 update to previously released Patch Day Security Notes.

List of security notes released on October Patch Day:

 

Note#TitlePriorityCVSS
2826015

[CVE-2019-0379Missing Authentication Check in AS2 Adapter of B2B Add-On for SAP NetWeaver Process Integration
Product - SAP Process Integration, business-to-business add-on, Versions - 1.0, 2.0

Hot News9.3
2828682

[CVE-2019-0380] Information Disclosure vulnerability in SAP Landscape Management Enterprise
Product - SAP Landscape Management enterprise edition, Version - 3.0

Hot News9.1
2792430

[CVE-2019-0381Binary Planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering
Product - SAP IQ, Version - 16.1
Product - SAP SQL Anywhere, Version - 17.0
Product - SAP Dynamic Tiering, Version - 1.0, 2.0

High7.8 
2751806[CVE-2019-0368Cross-Site Scripting (XSS) vulnerability in Customer relationship management (Email management)
Product - SAP Customer Relationship Management (Email Management), Versions - S4CRM 100, 200; BBPCRM 700, 701, 702, 712, 713, 714
Medium5.4 
2817945[CVE-2019-0374] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Additional CVE IDs - CVE-2019-0375CVE-2019-0376CVE-2019-0377CVE-2019-0378   Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), Versions - 420, 430
Medium5.4
2806403

[CVE-2019-0370Multiple Vulnerabilities in SAP Financial Consolidation
Additional CVE ID - CVE-2019-0369

Product - SAP Financial Consolidation, Versions - 10.0, 10.1
Medium5.4
2786151

Update to Security Note released on September 2019 Patch Day:
[CVE-2019-0365Denial of service (DOS) in SAP Kernel (RFC), SAP GUI for Windows and SAP GUI for Java
Product - SAP Kernel (RFC), Versions - KRNL32NUC, KRNL32UC and KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL 7.21, 7.49, 7.53, 7.73, 7.76

Medium5.3 
2805777

[CVE-2019-0367Missing Authorization Check in B2B Content Manager of B2B Add-On for SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration (B2B Toolkit), Versions - 1.0, 2.0

Medium4.3

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - October 2019

 


Security Notes vs Priority Distribution (May 2019 – October 2019)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after September 10, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'September 11, 2019 - October 8, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

 Multiple Vulnerabilities in SAP Financial Consolidation

  • No labels