W dniu 12 marca firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 9 nowych poprawek i 3 aktualizacji poprawek. 1 poprawka ma status “bardzo wysoki”, 2 “wysoki”.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
| Note# | Title | Priority | CVSS |
| 2622660 | Update to security note release on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product – SAP Business Client; Version – 6.5 |
Hot News | 9.8 |
| 2764283 | [CVE-2019-0277] XML External Entity vulnerability in SAP HANA extended application services, advanced Product – SAP HANA Extended Application Services, Versions – 1 |
High | 8.7 |
| 2689925 | [CVE-2019-0275] Cross-Site Scripting (XSS) Vulnerability in SAP NW SAML 1.1 SSO Demo App Product – SAP NetWeaver Java Application Server (J2EE-APPS), Versions – 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50 |
High | 7.6 |
| 2736825 | [CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server Product – ABAP Server (used in NetWeaver and Suite/ERP), Version – Using Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31, Using Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform |
Medium | 6.5 |
| 2727689 | [CVE-2019-0270] Missing Authorization check in ABAP Server of SAP NetWeaver
Product – ABAP Server of SAP NetWeaver and ABAP Platform; Versions – KRNL32NUC 7.21, KRNL32NUC 7.21EXT, KRNL32NUC 7.22, KRNL32NUC 7.22EXT, KRNL32UC 7.21, KRNL32UC 7.21EXT, KRNL32UC 7.22, KRNL32UC 7.22EXT, KRNL64NUC 7.21, KRNL64NUC 7.21EXT, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, KRNL64NUC 7.49, KRNL64NUC 7.74, KRNL64UC 7.21, KRNL64UC 7.21EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.49, KRNL64UC 7.73, KRNL64UC 7.74, KRNL64UC 8.04, KERNEL 7.21, KERNEL 7.45, KERNEL 7.49, KERNEL 7.53, KERNEL 7.73, KERNEL 7.74, KERNEL 7.75, KERNEL 8.04 |
Medium | 6.3 |
| 2729710 | Update to security note release on February 2019 Patch Day: [CVE-2019-0265] XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform Product – ABAP Platform (SLD Registration), Versions – KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73; KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75 |
Medium | 6 |
| 2753497 | [CVE-2019-0274] Denial of service (DOS) in SAP Work and Inventory Manager Product – SAP Mobile Platform SDK, Versions – upgrade to SMP Mobile Platform SDK 3.1 SP03 PL02, SDK 3.1 SP04, or later |
Medium | 5.5 |
| 2693962 | [CVE-2019-0269] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects BIWorkspace Product – SAP BusinessObjects Business Intelligence Platform (BI Workspace), Version – 4.10, 4.20 |
Medium | 5.4 |
| 2689259 | [CVE-2019-0268] Missing XML Validation vulnerability in SAP BusinessObjects BI Platform CMC module Product – SAP BusinessObjects Business Intelligence Platform (CMC Module), Version – 4.10, 4.20, 4.30 |
Medium | 5.4 |
| 2732527 | Potential Oracle attack on OPC UA server in SAP Plant Connectivity Related CVE: CVE-2018-7559 Product – SAP Plant Connectivity, Versions – 15.1, 15.2 |
Medium | 5.3 |
| 2662687 | Update to security note release on January 2019 Patch Day: [CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services Product – SAP Enterprise Financial Services, Versions – SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20 |
Medium | 4.3 |
| 2754235 | [CVE-2019-0276] Inadequate Authorization check in Banking services from SAP and SAP S/4HANA Financial Products Subledger Product – FSAPPL, Version – 5; Product – S4FPSL, Version 1; Product – Banking services from SAP, Version – 9.0 |
Medium | 4.3 |
+48 22242 1996
+48 571 207 996
cert@pse.pl 
klucz publiczny