Sunday, 17 November 2019 11:07

SAP Patchday November 2019 Featured

With year-end rapidly approaching SAP SE is not yet tired in releasing new security patches for their product portfolio.

Highlights

This week (CW46) we find 11 new patches complimented by 4 updates for previously released snotes. The four updates concern "hot news". We recommend any customer that already started mitigating these vulnerabilities to carefully review the updates.
Looking at the patches with severity "medium", it should be an easy target to implement those notes which are addressing the missing authorisation check in SAP Treasury and Risk Management (S4CORE) and S4HANA Sales (S4CORE).

Summary by Severity

SeverityNumber
Hot News 4
High 1
Medium 10

 

NoteDescriptionSeverityCVSS
2622660 Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News 9.8
2839864 Update 2 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20
Hot News 9.1
2823733 Update to Security Note released on September 2019 Patch Day:Update 1 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20
Hot News 9.1
2808158 Update to Security Note released on July 2019 Patch Day:[CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Version - 7.20
Hot News 9.1
2814007 [CVE-2019-0396] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), Versions - 4.1, 4.2
High 7.1
2833771 [CVE-2019-0385]  Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
Product - SAP Enable Now, Versions - before 1908
Medium 6.5
2840520 [CVE-2019-0386] Missing authorization check in ERP Sales and SAP S/4HANA sales (SD-SLS)
Product - SAP ERP Sales (SAP_APPL), Versions - 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18
Product - S4HANA Sales (S4CORE), Versions - 1.0, 1.01, 1.02, 1.03, 1.04
Medium 6.3 
2828981 [CVE-2019-0384] Missing Authorization check in SAP Treasury and Risk Management (Transaction Management)
Product - SAP Treasury and Risk Management (S4CORE), Versions - 1.01, 1.02, 1.03, 1.04
Product - SAP Treasury and Risk Management (EA-FINSERV), Versions - 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0
Medium 6.3
2814357 [CVE-2019-0389] Privilege escalation in SAP NetWeaver Application Server Java
Product - SAP NetWeaver Application Server Java (J2EE-Framework), Versions - 7.1, 7.2, 7.3, 7.31, 7.4, 7.5
Medium 5.9
2817937 [CVE-2019-0382] XSS vulnerabilty in SAP Business Objects BI Platform (Web Intelligence)
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence), Versions - 4.2
Medium 5.4
2816035 [CVE-2019-0393] SQL Injection vulnerability in SAP Quality Management
Product - SAP Quality Management (S4CORE), Versions - 1.0, 1.01, 1.02, 1.03
Medium 5.4 
2842034 [CVE-2019-0390] Information Disclosure in  SAP Data Hub
Product - SAP Diagnostics Agent (LM_Service), Versions - 7.2
Medium 5
2843016 [CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler
Product - SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54
Product - SAP UI 700, Versions - 2.0
Medium 4.3
2835226 [CVE-2019-0391] Information Disclosure in SAP NetWeaver Application Server Java(eCATT service)
Product - SAP NetWeaver AS Java, Versions - 7.10, 7.20, 7.30, 7.31, 7.4, 7.5
Medium 4.3 
2819170 [CVE-2019-0383] Missing Authorization check in SAP Treasury and Risk Management (Transaction Management)
Product - SAP Treasury and Risk Management (S4CORE), Versions - 1.01, 1.02, 1.03, 1.04
Product - SAP Treasury and Risk Management (EA-FINSERV), Versions - 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0
Medium 4.3 

Source

Additional Info

  • Language:: English