Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 12th of November 2019, SAP Security Patch Day saw the release of 12 Security Notes. There are 3 updates to previously released Patch Day Security Notes.

List of security notes released on November Patch Day:

 

Note#TitlePriorityCVSS
2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5

Hot News9.8
2839864

Update 2 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20

Hot News9.1
2823733

Update to Security Note released on September 2019 Patch Day:
Update 1 to Security Note 2808158: 
[CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20

Hot News9.1
2808158Update to Security Note released on July 2019 Patch Day:
[CVE-2019-0330OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20
Hot News9.1
2814007[CVE-2019-0396] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), Versions - 4.1, 4.2
High7.1
2833771

[CVE-2019-0385 Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
Product - SAP Enable Now, Versions - before 1908

Medium6.5
2840520

[CVE-2019-0386Missing authorization check in ERP Sales and SAP S/4HANA sales (SD-SLS)
Product - SAP ERP Sales (SAP_APPL), Versions - 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18
Product - S4HANA Sales (S4CORE), Versions - 1.0, 1.01, 1.02, 1.03, 1.04

Medium6.3 
2828981

[CVE-2019-0384Missing Authorization check in SAP Treasury and Risk Management (Transaction Management)
Product - SAP Treasury and Risk Management (S4CORE), Versions - 1.01, 1.02, 1.03, 1.04
Product - SAP Treasury and Risk Management (EA-FINSERV), Versions - 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0

Medium6.3
2814357[CVE-2019-0389] Privilege escalation in SAP NetWeaver Application Server Java
Product - SAP NetWeaver Application Server Java (J2EE-Framework), Versions - 7.1, 7.2, 7.3, 7.31, 7.4, 7.5
Medium5.9
2817937

[CVE-2019-0382XSS vulnerabilty in SAP Business Objects BI Platform (Web Intelligence)
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence), Versions - 4.2

Medium5.4
2816035

[CVE-2019-0393SQL Injection vulnerability in SAP Quality Management
Product - SAP Quality Management (S4CORE), Versions - 1.0, 1.01, 1.02, 1.03

Medium5.4 
2842034

[CVE-2019-0390Information Disclosure in  SAP Data Hub
Product - SAP Diagnostics Agent (LM_Service), Versions - 7.2

Medium5
2843016

[CVE-2019-0388Content spoofing vulnerability in UI5 HTTP Handler
Product - SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54
Product - SAP UI 700, Versions - 2.0

Medium4.3
2835226

[CVE-2019-0391Information Disclosure in SAP NetWeaver Application Server Java(eCATT service)
Product - SAP NetWeaver AS Java, Versions - 7.10, 7.20, 7.30, 7.31, 7.4, 7.5

Medium4.3 
2819170

[CVE-2019-0383Missing Authorization check in SAP Treasury and Risk Management (Transaction Management)
Product - SAP Treasury and Risk Management (S4CORE), Versions - 1.01, 1.02, 1.03, 1.04
Product - SAP Treasury and Risk Management (EA-FINSERV), Versions - 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0

Medium4.3 

 

________________________________________________________________________________

Security Notes vs Vulnerability Types - November 2019

 


Security Notes vs Priority Distribution (June 2019 – November 2019)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after October 8, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'October 9, 2019 - November 12, 2019' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

 Multiple Vulnerabilities in SAP Financial Consolidation

  • No labels