Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
Showing results for 
Search instead for 
Did you mean: 
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 10th of April 2018, SAP Security Patch Day saw the release of 10 Security Notes. Additionally, there were 2 updates to previously released security notes.

SAP Product Security Response team would like to bring it to notice that SAP's product, SAP Business Client is integrated with Chromium, an open source rendering engine of Google Chrome web browser. The security note 2622660, released on April Patch day is to update our customers on the vulnerabilities that SAP Business Client inherits from third party web browsers like Google Chromium. The vulnerabilities listed in the security note are found in components delivered by Google. For more information on updates released by Google, please refer here - Chrome 63, Chrome 64, Chrome 65.

List of security notes released on the April Patch Day:

Note# Title Priority CVSS
2622660 Security updates for third party web browser controls delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News 9.8
2587985 Denial of Service (DOS) in SAP Business One
Related CVECVE-2017-7668
Product - SAP Business One, Versions - 9.2, 9.3
High 7.5
2376081 Update to Security Note released on August 2017 Patch Day: Code Injection vulnerability in Visual Composer 04s iviews
Product - SAP Visual Composer, Versions - 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2552318 Update 1 to Security Note 2376081
Product - SAP Visual Composer, Versions - 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2537150 [CVE-2018-2408] Improper Session Management in SAP Business Objects - CMC/BI Launchpad/Fiorified BI Launchpad
Product - SAP Business Objects
Versions - 4.0, from 4.10, from 4.20, 4.30
High 7.3
2614141 [CVE-2018-2409] Improper session management when using SAP CP Connectivity Service and Cloud Connector
Product - SAP Cloud Platform Connector
Version - 2.0
Medium 6.3
2595800 [CVE-2018-2403] Multiple Security Vulnerabilities in SAP Disclosure Management
Related CVEsCVE-2018-2404, CVE-2018-2412, CVE-2018-2413
Product - SAP Disclosure Management
Version - 10.1
Medium 5.4
2372688 [CVE-2018-2405] Cross-Site Scripting in Solution Manager Incident Management Workcenter
Product - SAP Solution Manager
Versions - 7.10, 7.20
Medium 5.4
2582870 [CVE-2018-2410] Cross-Site Scripting (XSS) Vulnerability in SAP Business One Browser Access
Product - SAP Business One
Version - 9.20, 9.30
Medium 5.4
2201710 Update to Security Note released on September 2015 Patch Day: Fixing Logjam and Alternative chains certificate forgery vulnerabilities in multiple SAP products
Product - Sybase PowerBuilder, Version - 12.6
Product - SMP, Version - 2.3
Product - Agentry, Version - 6.0
Product - SAP Open Switch, Version - 15.1
Product - SAP Open Server, Versions - 15.7, 16.0
Product - SDK for SAP ASE, Version - 16.0
Product - SYBASE SOFTWARE DEV KIT, Version - 15.7
Product - SYBASE IQ, Version - 15.4
Product - SAP IQ, Version - 16.0
Product - Sybase SQL Anywhere, Versions - 12.0.1, 16.0
Product - SAP SQL Anywhere, Version - 17.0
Product - SAP SQL Anywhere OnDemand, Version - 1.0
Product - SAP ASE, Versions - 15.7, 16.0
Product - SAP Replication Server, Version - 15.7
Product - SYBASE ECDA, Version - 15.7
Product - SAP HANA Smart Data Streaming, Version - 1.0
Product - SAP Complex Assembly Manufacturing, Version - 7.2
Product - SAP Data Services, Version - 4.2
Medium 5.4
2560132 [CVE-2018-2406] Unquoted windows search path vulnerability in Crystal Reports Server, OEM Edition
Product - SAP Crystal Reports Server, OEM Edition
Versions - 4.0, 4.10, 4.20, 4.30
Medium 5.3
2598687 Missing XML Validation vulnerability in SAP Control Center and SAP Cockpit Framework
Related CVE - CVE-2009-3960
Product - SAP Control Center and SAP Cockpit Framework
Medium 4.3


Security Notes vs Vulnerability Types - April 2018


Security Notes vs Priority Distribution (November 2017 – April 2018)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day, see: -> All Security Notes -> Filter for notes which have been published after 13th March 2018.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page

Do write to us at with all your comments and feedback on this blog post.

SAP Product Security Response Team