Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 
0 Kudos
10,621
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 9th of January 2018, SAP Security Patch Day saw the release of 3 Security Notes. Additionally, there were 4 updates to previously released security notes.

List of security notes released on the January Patch Day:





















































Note# Title Priority CVSS
1906212 Update to Security Note released on October 2014 Patch Day:
Code Injection vulnerability in Knowledge Provider

Product - SAP Netweaver
Software Component - SAP BASIS; Versions - 46C, 7.01, from 7.11 to 7.30, 7.31, 7.40
Medium 6.5
2278931 Update to Security Note released on February 2017 Patch Day:
Update 1 to 1906212: Code injection vulnerability in Knowledge Provider
Product - SAP Netweaver
Software Component - SAP BASIS; Versions - 7.00 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51
Medium 6.5
2525392 [CVE-2018-2363Update 2 to 1906212: Code Injection vulnerability in Knowledge Provider
Product - SAP Netweaver
Software Component - SAP BASIS; Versions - from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52
Medium 6.5
2507934 [CVE-2018-2361Improper Role Authorizations in SAP Solution Manager 7.2
Product - SAP Solution Manager
Software Components - SAP Solution Manager; Version - 7.20
Medium 6.3
2523961 [CVE-2018-2360Missing Authentication check in Startup Service
Product - SAP Startup Service
Software Component - SAP KERNEL; Versions - 7.45, 7.49, 7.52
Medium

5.8


2575750 [CVE-2018-2362Information Disclosure in Startup Service in SAP HANA
Products - SAP HANA
Software Component - HANA; Versions - 1.00 and 2.00
Medium 5.3
2529480 Update to Security Note released on December 2017 Patch Day:
[CVE-2017-16690DLL preload attack possible on NwSapSetup and Installation self extracting program for SAP Plant Connectivity
Product - SAP Plant Connectivity (PCo)
Versions - 2.3, 15.0
Medium 5.0


________________________________________________________________________________


Security Notes vs Vulnerability Types - January 2018



 

Security Notes vs Priority Distribution (August 2017 – January 2018)**



* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 12th December 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team
Labels in this area