W dniu 14 listopada firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 13 nowych poprawek i 9 aktualizacji poprawek. 3 poprawki mają status “bardzo wysoki”, 1 “wysoki”.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note# Title Priority CVSS
2371726 Update to Security Note released on September 2016 Patch Day: Code Injection vulnerability in Text Conversion Very High 9.1
2520772 Update to Security Note released in September 2017:
Information Disclosure in LaMa 3.0
Very High 9.1
2531241 Update to Security Note released in September 2017:
Information Disclosure in LVM 2.1 and LaMa 3.0
Very High 9.1
2500044 Full access to SAP Management Console High 8.0
2492658 Update to Security Note released on September 2017 Patch Day:
Missing XML Validation vulnerability in SAP NetWeaver Java Workflow (JWF)
Medium 6.9
1560538 Update to Security Note released in May 2011: Missing authorization check in SCM-APO-INT Medium 6.3
2374767 Cross-Site Scripting (XSS) vulnerability in SAPUI5 Medium 6.1
2473504 Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Analysis Edition for OLAP Medium 6.1
2541610
Cross-Site Scripting (XSS) vulnerability in SAP CRM Mail Form Editor Medium 6.1
2471209 Update to Security Note released on September 2017 Patch Day:
Cross-Site Scripting (XSS) vulnerability in SAPGUI for HTML
Medium 6.1
2492999 Multiple security vulnerabilities in SAP ERP Learning Solution Content Player Medium 5.5
2408073
Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note Assistant Medium 5.5
2464582 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLForms Medium 5.4
2400292 Update to Security Note released on April 2017 Patch Day:
Missing XML Validation vulnerability in TranslationSupport application
Medium 5.4
2493171 Information Disclosure in SAP NetWeaver Instance Agent Service Medium 5.3
2546220 SNOTE: Digital signature verification along with note file extraction Medium 5.3
2508673 Information Disclosure in SAP HANA Extended Application Services (XS Advanced) Medium 5.0
2535629 DLL preload attack possible on NwSapSetup and Installation self extracting program Medium 5.0
2372301 Update to Security Note released on April 2017 Patch Day:
Missing XML Validation in Composite Application Framework Authorization Tool
Medium 4.9
2508767 Privilege Escalation after installation of SAP Systems on SAP HANA Medium 4.7
2514475 Directory Traversal vulnerability in SAP BI Mobile Server Medium 4.3
2485208 Log Injection Vulnerability in SAP NetWeaver AS Java Medium 4.3