Friday, 13 September 2019 08:34

SAP Patchday September 2019 Featured

SAP released the monthly security patches for its platform on September 10th. This release contained four corrections with the severity rating "very high" or as SAP refers to them, "Hot News". Additionally, one correction has been made with the severity rating "High".

Continuous patching of SAP applications is essential to ensure that the most valuable company data assets are protected, and are stable, compliant, and secure against internal and external cyber threats. The task of patching, however, is often never complete, even with the meticulous housekeeping, full compliance is rarely achieved. We have created technology to enable effective and intelligent patching by providing realtime actionable intelligence across applications and custom code for which there are no available commercial patches.

With realtime detection, vulnerabilities can be mitigated before any harm is done, and patching can be simple, accurate and compliant.



Companies using the SAP Business Client, Version 6.5 should pay special attention to SNOTE 2622660. Installing the correction will prevent system information disclosure or a system crash. The vulnerability may impact the confidentiality, integrity, and availability of a system.


Summary by Severity

Hot News 4
High 1
Medium 7


2622660 Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News 9.8
2823733 Update 1 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20
Hot News 9.1
2808158 Update to Security Note released on July 2019 Patch Day:[CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20
Hot News 9.1 
2798336 [CVE-2019-0355] Code Injection vulnerability in SAP NetWeaver AS for Java(Web Container)
Product - SAP NetWeaver AS for Java (Web Container)-ENGINEAPI, Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News 9.1 
2817491 [CVE-2019-0363] Multiple security vulnerabilities in SAP HANA Extended Application Services (Advanced Model)Additional CVE ID - CVE-2019-0364
Product - SAP HANA Extended Application Services, Versions - before 1.0.118
High 7.7
2829681 [CVE-2019-0357] Privilege escalation in SAP HANA database
Product - SAP HANA, Versions - 1.0, 2.0
Medium 6.4
2630018 Update to Security Note released on August 2018 Patch Day:[CVE-2018-2445] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Servers AdminTools
Product - SAP BusinessObjects Business Intelligence Platform, Version - 4.1, 4.2 
Medium 6.3 
2820607 [CVE-2019-0361] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog)
Product - SAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT), Versions - 3.73, 7.31, 7.32
Medium 6.1
2803353 Multiple Vulnerabilities in SAP Business One (Browser Access Process Monitor and Integration Framework)Related CVE IDs - CVE-2012-6708, CVE-2018-11784
Product - SAP Business One, Version - 9.3
Medium 6.1
2786151 [CVE-2019-0365] Denial of service (DOS) in SAP Kernel (RFC), SAP GUI for Windows and SAP GUI for Java
Product - SAP Kernel (RFC), Versions - KRNL32NUC, KRNL32UC and KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL 7.21, 7.49, 7.53, 7.73, 7.76
Medium 5.3
2735924 [CVE-2019-0352] Improper session management in SAP Business Objects Business Intelligence Platform(CMC)
Product - SAP BusinessObjects Business Intelligence Platform (CMC), Versions - 4.1, 4.2, 4.3
Medium 4.3
2802521 [CVE-2019-0356] Information Disclosure in XI Runtime Workbench of SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration Runtime Workbench – MESSAGING and SAP_XIA, Versions - 7.31, 7.40, 7.50
Medium 4.3
2768864 [CVE-2019-0353] Information Disclosure in SAP Business One Client
Product - SAP Business One Client, Versions - 9.2, 9.3
Low 3.3

Additional Info

  • Language:: English