W dniu 14 maja firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 8 nowych poprawek i 5 aktualizacji poprawek. 1 poprawka ma “wysoki”.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
| Note# | Title | Priority | CVSS |
| 2784307 | [CVE-2019-0301] Privilege Escalation in SAP Identity Management REST Interface Version 2 Product – SAP Identity Management (REST Interface); Version – 2 |
High | 8.4 |
| 2737278 | [CVE-2019-0287] Information Disclosure in SAP BusinessObjects Business Intelligence platform / Central Management Server Product – SAP BusinessObjects Business Intelligence platform (Central Management Server), Versions – 4.20, 4.30 |
Medium | 6.3 |
| 2744937 | [CVE-2019-0280] Missing authorization check in SAP Treasury and Risk Management Product – SAP Treasury and Risk Management, Versions – 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 617, 6.18, 8.0 |
Medium | 6.3 |
| 2773086 | [CVE-2019-0298] Cross-Site Scripting (XSS) vulnerability in SAP E-Commerce (Business-to-Consumer) application Product – SAP E-Commerce (Business-to-Consumer), Versions – (SAP-CRMJAV SAP-CRMWEB SAP-SHRWEB SAP-SHRJAV SAP-CRMAPP SAP-SHRAPP) 7.30, 7.31, 7.32, 7.33, 7.54 |
Medium | 6.1 |
| 2738796 | [CVE-2019-0289] Information Disclosure in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP Product – SAP BusinessObjects Business Intelligence platform, Versions – 4.2, 4.3 |
Medium | 5.4 |
| 962319 | Update to security note release on October 2009 Patch Day: Detailed error messages with stack trace in Web Dynpro Product – Web Dynpro Java, Versions – 6.40, 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 5.3 |
| 2756625 | [CVE-2019-0293] Missing Authorization check in check of RFC destinations on SAP Solution Manager and ABAP managed systems Product – SAP Solution Manager system (ST-PI), Versions – 2008_1_700, 2008_1_710, and 740 |
Medium | 5 |
| 1525125 | Update to security note release on December 2010 Patch Day: Update #1 to Security Note 1408081 Software Component – KRNL32NUC, Versions – 7.20, 7.20EXT Software Component – KRNL32UC, Versions – 7.20, 7.20EXT Software Component – KRNL64NUC, Versions – 7.20, 7.20EXT Software Component – KRNL64UC, Versions – 7.20, 7.2L, 7.20EXT, 8.00 Software Component – KERNEL, Versions – 7.20, 7.2L, 8.00 |
Medium | 4.8 |
| 1408081 | Update to security note release on September 2010 Patch Day: Basic settings for reg_info and sec_info Software Component – SAP BASIS, Versions – 46D, 6.40, from 7.00 to 7.02, 7.10, 7.30, 7.31, 7.40 |
Medium | 4.8 |
| 2664504 | Update 1 to SAP Security Note 1715734 Product – Dbpool of AS JAVA, Versions – 6.40, 7.00, 7.01, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 |
Medium | 4.7 |
| 1715734 | Update to security note release on March 2013 Patch Day: Missing authorization check in dbpool administration Product – Dbpool of AS JAVA, Versions – 6.40, 7.00, 7.01, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 |
Medium | 4.7 |
| 2748699 | [CVE-2019-0291] Information Disclosure in Solution Manager 7.2 / CA Introscope Enterprise Manager Product – Solution Manager, Version – 7.2 |
Medium | 4.3 |
| 2662687 | Update to security note release on January 2019 Patch Day: [CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services Product – SAP Enterprise Financial Services, Versions – SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20 |
Medium | 4.3 |
+48 22242 1996
+48 571 207 996
cert@pse.pl 
klucz publiczny