Tuesday, 13 August 2019 09:31

SAP Patchday August 2019

Like every second Tuesday of a month, today 13th August 2019, SAP has released security patches for their enterprise application product portfolio. This blog article lists the released security notes. Links which direct to the security note details may require an SAP Online Support User.

This month four "Hot News" notes have been released, out of which two have a CVSS of 9.8 and 9.9! The following products are impacted: NW UDDI Server (Note 2800779 ), SAP Business Client (Note 2622660 ), SAP Commerce Cloud (Note 2786035 ) and the AS NW for JAVA (Note 2813811 ). Additionally two high rates patches for SAP HDB (whereas Denial of Service (DOS) attack can be prevented) and the SAP Kernel component have been published.

Besides the obvious need to carefully review the Hot News, we especially recommend you to to review the Remote Code Execution (RCE) vulnerability for SAP NetWeaver UDDI Server, which is a vulnerability allowing information disclosure via the SAP Gateway (Note 2793351 ).

 

Summary by Severity

Severity Number
Hot News 4
High 2
Medium 6

 

List of Security Notes

The table below lists the security notes released for August 2019. We recommend our customers to review these patches and evaluate the need for installation according to your installed components and their versions. For SecurityBridge customers updated signatures are available for download.

 

Note Description Severity CVSS
2800779 [CVE-2019-0351] Remote Code Execution(RCE) in SAP NetWeaver UDDI Server (Services Registry)
Product - SAP NetWeaver UDDI Server (Services Registry); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News 9.9
2622660 Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News 9.8
2786035 [CVE-2019-0344] Code Injection vulnerabilities in SAP Commerce Cloud (mediaconversion and virtualjdbc extension)Additional CVE ID - CVE-2019-0343
Product - SAP Commerce Cloud (virtualjdbc extension), Versions - 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905
Product - SAP Commerce Cloud (Mediaconversion Extension), Versions - 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905
Hot News 9
2813811 [CVE-2019-0345] Server-Side Request Forgery in SAP NetWeaver Application Server for Java (Administrator System Overview)
Product - SAP NetWeaver Application Server for Java (Administrator System Overview), Versions - 7.30, 7.31, 7.40, 7.50
Hot News 9
2798243 [CVE-2019-0350] Denial of service (DOS) in SAP HANA database
Product - SAP HANA Database, Versions - 1.0, 2.0
High 7.5
2798743 [CVE-2019-0349] Missing Authorization check in SAP Kernel (ABAP Debugger)
Product - SAP Kernel (ABAP Debugger), Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77
High 7.2
2764513 [CVE-2019-0333] Information Disclosure in SAP Business Objects Business Intelligence Platform (Web Intelligence and CMC)Additional CVE ID - CVE-2019-0346
Product -  SAP Business Objects Business Intelligence Platform (Web Intelligence), Version - 4.2
Product - SAP Business Objects Business Intelligence Platform (CMC), Version - 4.2
Medium 6.5 
2794742 [CVE-2019-0340] Multiple Security Vulnerabilities in SAP Enable NowAdditional CVE IDs - CVE-2019-0341
Product -  SAP Enable Now, Version - 1902
Medium 6.4
2789866 [CVE-2019-0337] Cross-Site Scripting (XSS) vulnerability in Java Proxy Runtime of SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration (Java Proxy Runtime), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Medium 6.1
2771221 [CVE-2019-0334] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BI Workspace)
Product - SAP BusinessObjects Business Intelligence Platform (BI Workspace), Versions - 4.1, 4.2, 4.3
Medium 5.4
2793351 [CVE-2019-0338] Information Disclosure in SAP Gateway
Product - SAP Gateway, Versions - 750, 751, 752, 753
Medium 5.3
2742468 [CVE-2019-0331] Multiple vulnerabilities In SAP BusinessObjects Business Intelligence Platform (BI Workspace, Infoview and CMC)Additional CVE IDs - CVE-2019-0332, CVE-2019-0335
Product - SAP BusinessObjects Business Intelligence Platform (BI Workspace), Versions - 4.1, 4.2, 4.3
Product - SAP BusinessObjects Business Intelligence Platform (Info View), Versions - 4.1, 4.2, 4.3
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence), Versions - 4.1, 4.2, 4.3
Medium 5.3
2751470 [CVE-2019-0348] Encryption not enforced in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
Product - SAP Business Objects Business Intelligence Platform (Web Intelligence), Versions - 4.1, 4.2
Low 3.5

Find more information at the the official SAP Security Response Space following this link: Source

Additional Info

  • Language:: English