Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
Showing results for 
Search instead for 
Did you mean: 
Former Member

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that customers visit the Support Portal and apply patches on a priority to protect their SAP landscape.

On 9th of May 2017, SAP Security Patch Day saw the release of 9 security notes. Additionally, there were 2 updates to previously released security notes.

List of security notes released on the May Patch Day:





2376743 Missing Authorization check in EA-DFPS utilities Medium 6.5
2442630 Missing Authorization check in EA-DFPS Medium 6.3
2423486 Update to Security Note released on Apr 2017 Patch Day: Missing Authorization check in SAP NetWeaver ADBC Demo Programs Medium 6.3
2443586 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Authentication and SSO Medium 6.1
2424671 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Generic Object Services Medium 5.4
2448972 Improved Permission Checks for opening connection in SAP GUI for Java Medium 5.1
2412897 Cross-Site Scripting (XSS) vulnerability in Enterprise Portal Medium 4.8
2441560 Potential Denial of Service (DoS) in SAPCAR Medium 4.5
2394024 Missing Authorization check in EA-DFPS Medium 4.3
2235515 Update to Security Note released on Nov 2015 Patch Day:
Insufficient logging in SNOTE
Medium 4.3
2406918 Missing XML Validation vulnerability in SAP NetWeaver Web Services Configuration UI Low 3.8


Security Notes vs Vulnerability Types- May 2017


Security Notes vs Priority Distribution (December 2016 - May 2017)**

* Patch Day Security Notes are all notes that appear under the category of "Patch Day Notes" in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes that are published or updated after the previous Patch Day see: -> All Security Notes -> Filter for notes which have been published after 11th April 2017.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us at with all your comments and feedback on this blog post.

SAP Product Security Response Team
Labels in this area