W dniu 14 listopada firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 11 nowych poprawek i 4 aktualizacji poprawek. 1 poprawka maj status “bardzo wysoki”, 3 “wysoki”.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
| Note# | Title | Priority | CVSS |
| 2357141 | Update to Security Note released on November 2017 Patch Day: OS Command Injection vulnerability in Report for Terminology Export Product – SAP Netweaver Documentation and Translation tools Software Component – SAP Basis; Versions – 7.31, 7.40, 7.50, 7.51, 7.65, 7.66 |
Very High | 9.1 NLHN | C | HHH |
| 2449757 | [CVE-2017-16689] Additional Authentication check in Trusted RFC on same system Product – Trusted RFC connection Software Components – SAP KERNEL32NUC, KERNEL32Unicode, KERNEL64NUC, KERNEL64Unicode; Versions – 7.21, 7.21EXT, 7.22, 7.22EXT Software Component – SAP KERNEL; Versions – 7.21, 7.22, 7.45, 7.49 |
High | 7.6 NLLN | U | HLL |
| 2026174 | Update to Security Note released on August 2014 Patch Day: SBOP solution for Apache Struts1.x Vulnerability CVE-2014-0094 Product – SAP Business Objects Enterprise Software Component – Enterprise; Versions – XI3.1, 4.0, 4.10 |
High | 7.5 NLNN | U | NNH |
| 2537152 | [CVE-2017-16684] Missing Authentication check in SAP BI Promotion Management Application Products – SAP Business Intelligence Promotion Management Application Software Component – Enterprise; Versions – 4.10, 4.20, 4.30 |
High | 7.3 NLNN | U | LLL |
| 2537545 | [CVE-2017-16685] Cross-Site Scripting (XSS) vulnerability in SAP BW Universal Data Integration Product – SAP Business Warehouse Universal Data Integration Software Component – BI UDI; Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 6.9 NHNR | C | HLN |
| 2457562 | [CVE-2017-16678] Server-Site Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service Product – SAP NetWeaver Knowledge Management Configuration Service Software Components – EPBC, EPBC2; Versions – 7.00, 7.01, 7.02 Software Component – KMC-BC; Versions – 7.30, 7.31, 7.40, 7.50 |
Medium | 6.6 NLHN | C | LLL |
| 2531656 | [CVE-2017-16683] Denial of service (DOS) in SAP BusinessObjects Platform Product – SAP Business Objects Platform Software Component – Enterprise; Versions – 4.10, 4.20 |
Medium | 6.5 NLLN | U | NNH |
| 2523913 | [CVE-2017-16681] Cross-Site Scripting (XSS) vulnerability in BI Promotion Management Application Product – SAP Business Intelligence Promotion Management Application Software Component – Enterprise; Versions – 4.10, 4.20, 4.30 |
Medium | 6.1 NLNR | C | LLN |
| 2408073 | Update to Security Note released on September 2017 Patch Day: Handling of Digitally Signed notes in SAP Note Assistant Product – SAP Note Assistant Software Component – SAP Basis; Versions – from 46A-46D, 6.10 – 6.40, 7.00-7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50-7.52 |
Medium | 5.5 NHLR | C | LLL |
| 2520995 |
[CVE-2017-16679] URL Redirection vulnerability in Startup Service Product – SAP Startup Service Software Components – KERNEL32NUC, KERNEL32Unicode, KERNEL64NUC, KERNEL64Unicode; Versions – 7.21, 7.21EXT, 7.22, 7.22EXT Software Component – SAP KERNEL; Versions – 7.21, 7.22, 7.45, 7.49, 7.52 |
Medium | 5.3 NLNN | U | NLN |
| 2522510 | [CVE-2017-16680] Potential audit log injection vulnerability in SAP HANA XS Advanced Product – SAP HANA extended application services Software Component – SAP Extended App Services; Versions – 1.0 |
Medium | 5.3 NLNN | U | NLN |
| 2549983 | [CVE-2017-16687] Information Disclosure in SAP HANA XS classic user self-service Product – SAP HANA extended application services Software Component – SAP HANA Database; Versions – 1.00, 2.00 |
Medium | 5.3 NLNN | U | LNN |
| 2546220 | Update to Security Note released on November 2017 Patch Day: [CVE-2017-16691] SNOTE: Digital signature verification along with note file extraction Product – SAP Note Assistant Software Component – SAP Basis, Versions – 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52 |
Medium | 5.3 NHNR | U | NHN |
| 2526781 |
[CVE-2017-16682] Code Injection vulnerability in SAP NetWeaver/ITS Product – SAP Netweaver Internet Transaction Server (ITS) Software Component – SAP Basis; Versions – 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52 |
Medium | 5.1 NHHR | C | LLL |
| 2529480 | [CVE-2017-16690] DLL preload attack possible on NwSapSetup and Installation self extracting program for SAP Plant Connectivity Product – SAP Plant Connectivity (PCo) Versions – 2.3, 15.0 |
Medium | 5.0 NHNR | U | LLL |
+48 22242 1996
+48 571 207 996
cert@pse.pl 
klucz publiczny