W dniu 14 listopada firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 13 nowych poprawek i 9 aktualizacji poprawek. 3 poprawki mają status “bardzo wysoki”, 1 “wysoki”.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
| Note# | Title | Priority | CVSS |
| 2371726 | Update to Security Note released on September 2016 Patch Day: Code Injection vulnerability in Text Conversion | Very High | 9.1 |
| 2520772 | Update to Security Note released in September 2017: Information Disclosure in LaMa 3.0 |
Very High | 9.1 |
| 2531241 | Update to Security Note released in September 2017: Information Disclosure in LVM 2.1 and LaMa 3.0 |
Very High | 9.1 |
| 2500044 | Full access to SAP Management Console | High | 8.0 |
| 2492658 | Update to Security Note released on September 2017 Patch Day: Missing XML Validation vulnerability in SAP NetWeaver Java Workflow (JWF) |
Medium | 6.9 |
| 1560538 | Update to Security Note released in May 2011: Missing authorization check in SCM-APO-INT | Medium | 6.3 |
| 2374767 | Cross-Site Scripting (XSS) vulnerability in SAPUI5 | Medium | 6.1 |
| 2473504 | Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Analysis Edition for OLAP | Medium | 6.1 |
| 2541610 |
Cross-Site Scripting (XSS) vulnerability in SAP CRM Mail Form Editor | Medium | 6.1 |
| 2471209 | Update to Security Note released on September 2017 Patch Day: Cross-Site Scripting (XSS) vulnerability in SAPGUI for HTML |
Medium | 6.1 |
| 2492999 | Multiple security vulnerabilities in SAP ERP Learning Solution Content Player | Medium | 5.5 |
| 2408073 |
Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note Assistant | Medium | 5.5 |
| 2464582 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLForms | Medium | 5.4 |
| 2400292 | Update to Security Note released on April 2017 Patch Day: Missing XML Validation vulnerability in TranslationSupport application |
Medium | 5.4 |
| 2493171 | Information Disclosure in SAP NetWeaver Instance Agent Service | Medium | 5.3 |
| 2546220 | SNOTE: Digital signature verification along with note file extraction | Medium | 5.3 |
| 2508673 | Information Disclosure in SAP HANA Extended Application Services (XS Advanced) | Medium | 5.0 |
| 2535629 | DLL preload attack possible on NwSapSetup and Installation self extracting program | Medium | 5.0 |
| 2372301 | Update to Security Note released on April 2017 Patch Day: Missing XML Validation in Composite Application Framework Authorization Tool |
Medium | 4.9 |
| 2508767 | Privilege Escalation after installation of SAP Systems on SAP HANA | Medium | 4.7 |
| 2514475 | Directory Traversal vulnerability in SAP BI Mobile Server | Medium | 4.3 |
| 2485208 | Log Injection Vulnerability in SAP NetWeaver AS Java | Medium | 4.3 |
+48 22242 1996
+48 571 207 996
cert@pse.pl 
klucz publiczny