Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member
0 Kudos
9,095
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 11th of July 2017, SAP Security Patch Day saw the release of 10 security notes. Additionally, there were 2 updates to previously released security notes.

The high priority security note 2476601 released today addresses technical issues in SAP Point of Sale (POS) Retail Xpress Server with potential disclosure at upcoming security conferences. Therefore, we wish to remind you to apply all SAP Security Notes on a priority.

List of security notes released on the July Patch Day:

















































































Note# Title Priority CVSS
2476601 Missing Authentication checks in SAP Point of Sale (POS) Retail Xpress Server High 8.1
2442993 Malicious SAP Host Agent Shutdown without Authentication High 7.5
2416119 Update to Security Note released on March 2017 Patch Day:
Improved security for outgoing HTTPS connections in SAP NetWeaver
High 7.4
2453640 Code Injection vulnerability in Governance, Risk and Compliance Access Controls Medium 6.5
2409262 Cross-Site Scripting (XSS) vulnerability in BI Promotion Management Application Medium 6.1
2478964 Cross-Site Scripting (XSS) vulnerability in SAP CRM Internet Sales Administration Console Medium 6.1
1854252 Update to Security Note released on March 2013 Patch Day:
Missing authorization-check in BC-SRV-ALV
High 6.0
2398144 Missing XML Validation vulnerability in SAP Business Objects Titan Medium 5.4
2458021 Information Disclosure vulnerability in LDAP Authentication for SAP BusinessObjects Enterprise Medium 5.3
2424742 Information Disclosure in SAP NetWeaver Master Data Management Medium 4.3
2478377 Exposure to Sweet32 vulnerability in multiple SAP Sybase products Low 3.7
2459319 Weak encryption used in SAP Netweaver Data Orchestration Engine Low 2.7

________________________________________________________________________________

Security Notes vs Vulnerability Types- July 2017



Security Notes vs Priority Distribution (Feb 2017 – July 2017)**



* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: https://support.sap.com/securitynotes -> All Security Notes -> Filter for notes which have been published after 13th June 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team
1 Comment
Labels in this area