W dniu 14 listopada firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 11 nowych poprawek i 4 aktualizacji poprawek. 1 poprawka maj status “bardzo wysoki”, 3 “wysoki”.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note# Title Priority CVSS
2357141 Update to Security Note released on November 2017 Patch Day: OS Command Injection vulnerability in Report for Terminology Export
Product – SAP Netweaver Documentation and Translation tools
Software Component – SAP Basis; Versions – 7.31, 7.40, 7.50, 7.51, 7.65, 7.66
Very High 9.1
NLHN | C | HHH
2449757 [CVE-2017-16689] Additional Authentication check in Trusted RFC on same system
Product – Trusted RFC connection
Software Components – SAP KERNEL32NUC, KERNEL32Unicode, KERNEL64NUC, KERNEL64Unicode; Versions – 7.21, 7.21EXT, 7.22, 7.22EXT
Software Component – SAP KERNEL; Versions – 7.21, 7.22, 7.45, 7.49
High 7.6
NLLN | U | HLL
2026174 Update to Security Note released on August 2014 Patch Day: SBOP solution for Apache Struts1.x Vulnerability CVE-2014-0094
Product – SAP Business Objects Enterprise
Software Component – Enterprise; Versions – XI3.1, 4.0, 4.10
High 7.5
NLNN | U | NNH
2537152 [CVE-2017-16684] Missing Authentication check in SAP BI Promotion Management Application
Products – SAP Business Intelligence Promotion Management Application
Software Component – Enterprise; Versions – 4.10, 4.20, 4.30
High 7.3
NLNN | U | LLL
2537545 [CVE-2017-16685] Cross-Site Scripting (XSS) vulnerability in SAP BW Universal Data Integration
Product – SAP Business Warehouse Universal Data Integration
Software Component – BI UDI; Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium 6.9
NHNR | C | HLN
2457562 [CVE-2017-16678] Server-Site Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service
Product – SAP NetWeaver Knowledge Management Configuration Service
Software Components – EPBC, EPBC2; Versions – 7.00, 7.01, 7.02
Software Component – KMC-BC; Versions – 7.30, 7.31, 7.40, 7.50
Medium 6.6
NLHN | C | LLL
2531656 [CVE-2017-16683] Denial of service (DOS) in SAP BusinessObjects Platform
Product – SAP Business Objects Platform
Software Component – Enterprise; Versions – 4.10, 4.20
Medium 6.5
NLLN | U | NNH
2523913 [CVE-2017-16681] Cross-Site Scripting (XSS) vulnerability in BI Promotion Management Application
Product – SAP Business Intelligence Promotion Management Application
Software Component – Enterprise; Versions – 4.10, 4.20, 4.30
Medium 6.1
NLNR | C | LLN
2408073 Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note Assistant
Product – SAP Note Assistant
Software Component – SAP Basis; Versions – from 46A-46D, 6.10 – 6.40, 7.00-7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50-7.52
Medium 5.5
NHLR | C | LLL
2520995
[CVE-2017-16679] URL Redirection vulnerability in Startup Service
Product – SAP Startup Service
Software Components – KERNEL32NUC, KERNEL32Unicode, KERNEL64NUC, KERNEL64Unicode; Versions – 7.21, 7.21EXT, 7.22, 7.22EXT
Software Component – SAP KERNEL; Versions – 7.21, 7.22, 7.45, 7.49, 7.52
Medium 5.3
NLNN | U | NLN
2522510 [CVE-2017-16680] Potential audit log injection vulnerability in SAP HANA XS Advanced
Product – SAP HANA extended application services
Software Component – SAP Extended App Services; Versions – 1.0
Medium 5.3
NLNN | U | NLN
2549983 [CVE-2017-16687] Information Disclosure in SAP HANA XS classic user self-service
Product – SAP HANA extended application services
Software Component – SAP HANA Database; Versions – 1.00, 2.00
Medium 5.3
NLNN | U | LNN
2546220 Update to Security Note released on November 2017 Patch Day:
[CVE-2017-16691] SNOTE: Digital signature verification along with note file extraction
Product – SAP Note Assistant
Software Component – SAP Basis, Versions – 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52
Medium 5.3
NHNR | U | NHN
2526781
[CVE-2017-16682] Code Injection vulnerability in SAP NetWeaver/ITS
Product – SAP Netweaver Internet Transaction Server (ITS)
Software Component – SAP Basis; Versions – 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52
Medium 5.1
NHHR | C | LLL
2529480 [CVE-2017-16690] DLL preload attack possible on NwSapSetup and Installation self extracting program for SAP Plant Connectivity
Product – SAP Plant Connectivity (PCo)
Versions – 2.3, 15.0
Medium 5.0
NHNR | U | LLL