This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.
On 11
th of July 2017, SAP Security Patch Day saw the release of 10 security notes. Additionally, there were 2 updates to previously released security notes.
The high priority security note 2476601 released today addresses technical issues in SAP Point of Sale (POS) Retail Xpress Server with potential disclosure at upcoming security conferences. Therefore, we wish to remind you to apply all SAP Security Notes on a priority.
List of security notes released on the July Patch Day:
Note# |
Title |
Priority |
CVSS |
2476601 |
Missing Authentication checks in SAP Point of Sale (POS) Retail Xpress Server |
High |
8.1 |
2442993 |
Malicious SAP Host Agent Shutdown without Authentication |
High |
7.5 |
2416119 |
Update to Security Note released on March 2017 Patch Day:
Improved security for outgoing HTTPS connections in SAP NetWeaver |
High |
7.4 |
2453640 |
Code Injection vulnerability in Governance, Risk and Compliance Access Controls |
Medium |
6.5 |
2409262 |
Cross-Site Scripting (XSS) vulnerability in BI Promotion Management Application |
Medium |
6.1 |
2478964 |
Cross-Site Scripting (XSS) vulnerability in SAP CRM Internet Sales Administration Console |
Medium |
6.1 |
1854252 |
Update to Security Note released on March 2013 Patch Day:
Missing authorization-check in BC-SRV-ALV |
High |
6.0 |
2398144 |
Missing XML Validation vulnerability in SAP Business Objects Titan |
Medium |
5.4 |
2458021 |
Information Disclosure vulnerability in LDAP Authentication for SAP BusinessObjects Enterprise |
Medium |
5.3 |
2424742 |
Information Disclosure in SAP NetWeaver Master Data Management |
Medium |
4.3 |
2478377 |
Exposure to Sweet32 vulnerability in multiple SAP Sybase products |
Low |
3.7 |
2459319 |
Weak encryption used in SAP Netweaver Data Orchestration Engine |
Low |
2.7 |
________________________________________________________________________________
Security Notes vs Vulnerability Types- July 2017
Security Notes vs Priority Distribution (Feb 2017 – July 2017)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at
all Security Notes that are published or updated after the previous Patch Day see:
https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 13th June 2017.
To know more about the security researchers and research companies who have contributed for security patches of this month visit
SAP Product Security Response Acknowledgement Page
Do write to us at
secure@sap.com with all your comments and feedback on this blog post.
SAP Product Security Response Team