SAP released the monthly security patches for its platform on September 10th. This release contained four corrections with the severity rating "very high" or as SAP refers to them, "Hot News". Additionally, one correction has been made with the severity rating "High".
Continuous patching of SAP applications is essential to ensure that the most valuable company data assets are protected, and are stable, compliant, and secure against internal and external cyber threats. The task of patching, however, is often never complete, even with the meticulous housekeeping, full compliance is rarely achieved. We have created technology to enable effective and intelligent patching by providing realtime actionable intelligence across applications and custom code for which there are no available commercial patches.
With realtime detection, vulnerabilities can be mitigated before any harm is done, and patching can be simple, accurate and compliant.
Highlights
Companies using the SAP Business Client, Version 6.5 should pay special attention to SNOTE 2622660. Installing the correction will prevent system information disclosure or a system crash. The vulnerability may impact the confidentiality, integrity, and availability of a system.
Summary by Severity
| Severity | Number |
|---|---|
| Hot News | 4 |
| High | 1 |
| Medium | 7 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 2622660 | Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client, Version - 6.5 |
Hot News | 9.8 |
| 2823733 | Update 1 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent Product - SAP Diagnostic Agent (LM-Service), Version - 7.20 |
Hot News | 9.1 |
| 2808158 | Update to Security Note released on July 2019 Patch Day:[CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent Product - SAP Diagnostic Agent (LM-Service), Version - 7.20 |
Hot News | 9.1 |
| 2798336 | [CVE-2019-0355] Code Injection vulnerability in SAP NetWeaver AS for Java(Web Container) Product - SAP NetWeaver AS for Java (Web Container)-ENGINEAPI, Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 |
Hot News | 9.1 |
| 2817491 | [CVE-2019-0363] Multiple security vulnerabilities in SAP HANA Extended Application Services (Advanced Model)Additional CVE ID - CVE-2019-0364 Product - SAP HANA Extended Application Services, Versions - before 1.0.118 |
High | 7.7 |
| 2829681 | [CVE-2019-0357] Privilege escalation in SAP HANA database Product - SAP HANA, Versions - 1.0, 2.0 |
Medium | 6.4 |
| 2630018 | Update to Security Note released on August 2018 Patch Day:[CVE-2018-2445] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Servers AdminTools Product - SAP BusinessObjects Business Intelligence Platform, Version - 4.1, 4.2 |
Medium | 6.3 |
| 2820607 | [CVE-2019-0361] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog) Product - SAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT), Versions - 3.73, 7.31, 7.32 |
Medium | 6.1 |
| 2803353 | Multiple Vulnerabilities in SAP Business One (Browser Access Process Monitor and Integration Framework)Related CVE IDs - CVE-2012-6708, CVE-2018-11784 Product - SAP Business One, Version - 9.3 |
Medium | 6.1 |
| 2786151 | [CVE-2019-0365] Denial of service (DOS) in SAP Kernel (RFC), SAP GUI for Windows and SAP GUI for Java Product - SAP Kernel (RFC), Versions - KRNL32NUC, KRNL32UC and KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL 7.21, 7.49, 7.53, 7.73, 7.76 |
Medium | 5.3 |
| 2735924 | [CVE-2019-0352] Improper session management in SAP Business Objects Business Intelligence Platform(CMC) Product - SAP BusinessObjects Business Intelligence Platform (CMC), Versions - 4.1, 4.2, 4.3 |
Medium | 4.3 |
| 2802521 | [CVE-2019-0356] Information Disclosure in XI Runtime Workbench of SAP NetWeaver Process Integration Product - SAP NetWeaver Process Integration Runtime Workbench – MESSAGING and SAP_XIA, Versions - 7.31, 7.40, 7.50 |
Medium | 4.3 |
| 2768864 | [CVE-2019-0353] Information Disclosure in SAP Business One Client Product - SAP Business One Client, Versions - 9.2, 9.3 |
Low | 3.3 |