{"id":6000,"date":"2017-07-11T10:00:23","date_gmt":"2017-07-11T08:00:23","guid":{"rendered":"http:\/\/inprosec.com\/sap-security-updates-q2-2017\/"},"modified":"2023-05-22T13:43:48","modified_gmt":"2023-05-22T11:43:48","slug":"sap-security-updates-q2-2017","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/","title":{"rendered":"SAP Security Notes: Q2 2017"},"content":{"rendered":"<p><img decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/www.csinfotech.org\/library\/blogimage\/SAP_patches.png\" alt=\"Resultado de imagen de sap security updates\" \/><\/p>\n<p><strong>SAP<\/strong>\u00a0has issued a total of 74\u00a0notes in the first quarter of 2017.<\/p>\n<ol>\n<li>There were\u00a0<a href=\"https:\/\/blogs.sap.com\/2017\/04\/11\/sap-security-patch-day-april-2017\/\"><b>28 notes issued\u00a0in April<\/b><\/a>. One of them as a critical priority (Hot News) and four\u00a0of them as a high priority. The note with critical priority (9,4 of CVSS) affects\u00a0<u>TREX \/ BWA\u00a0[2419592]\u00a0<\/u>\u00a0for Remote Code Execution. The most prevalent \u00a0note types are \u201cMissing Authoritation Check\u201d, &#8220;XML Data Validation Error&#8221; and \u201cCross-Site-Scripting-XSS\u201d.<\/li>\n<li>There were\u00a0<b><a href=\"https:\/\/blogs.sap.com\/2017\/05\/09\/sap-security-patch-day-may-2017\/\">17 notes issued\u00a0in May<\/a>.\u00a0<\/b>Only one of them as high priority while the other 16 had \u00a0medium or low priority. The high priority note affect does not affect SAP directly but a component of Internet Graphic Server (IGS). Most of the notes apply to ABAP Netweaver, and the most prevalent types are \u201cMissing Authoritation Check\u201d and \u201cCross-Site-Scripting-XSS\u201d.<\/li>\n<li>There were\u00a0<a href=\"https:\/\/blogs.sap.com\/2017\/06\/13\/sap-security-patch-day-june2017\/\"><strong>29 notes issued in June<\/strong><\/a>, 5\u00a0of them as high priority whereas the rest as medium priority. The high priority notes were related with BILaunchPad, Central Management Consoled, \u00a0SAP NetWeaver Instance Agent Service and\u00a0Cross-Site-Scripting-XSS<\/li>\n<\/ol>\n<p>The more relevant security updates in this quarter were:<\/p>\n<ol>\n<li><strong><u>Unauthorized usage of application functionality (1450166)<\/u><\/strong>: several components were patched to prevent client-side web attacks such as\u00a0<strong>Cross-Site Request Forgery<\/strong>. After proper installation of the suggested Support Packages, a new\u00a0<strong>XSRF<\/strong>\u00a0Protection Framework will be added to the systems. Over 20 older SAP Security Notes are referenced in this note and are impacted by this new framework.\u00a0<strong>CVSS v3 Base Score: not disclosed.<\/strong><\/li>\n<li><strong><u>Missing XML Validation vulnerability in Web Dynpro Flash Island (2410082):<\/u><\/strong>\u00a0this component is\u00a0<strong>not properly validating XML<\/strong>\u00a0documents and this could lead to arbitrary file retrieval from the server or even denial-of-service attacks.\u00a0<strong>CVSS v3 Base Score: 7.5 \/ 10<\/strong><\/li>\n<li><strong><u>Security vulnerabilities in SAPLPD (2421287):<\/u><\/strong>\u00a0Security vulnerabilities were found in this component which was used for printing on Microsoft Windows. Since there are newer and more secure printing options, SAP recommends to switch to Frontend Print or Backend Print rather than upgrading this component (only allowed if there are compatibility issues).\u00a0<strong>CVSS v3 Base Score: 7.5 \/ 10<\/strong><\/li>\n<li><strong><u>SQL Injection vulnerability in Database Monitors for Oracle (2319506):<\/u><\/strong>\u00a0updated in note #2418823, support packages correct an\u00a0<strong>SQL Injection attack<\/strong>\u00a0in the database layer.\u00a0<strong>CVSS v3 Base Score: 7.2 \/ 10.<\/strong><\/li>\n<li><strong><u>Memory Corruption Vulnerability in IGS (2380277):<\/u><\/strong>\u00a0details how an attacker can update a library component that is being used by Internet Graphics Server (IGS). This bug has been vulnerable for the last year. However, despite that the bug has been present for a while, it is pretty easy to solve and there aren\u2019t any reports detailing that it has been widely exploited in the wild. Other software companies such as Oracle and RedHat had the same library and updated it in 2016.<\/li>\n<li><strong><u>Denial of service (DOS) in BILaunchPad and Central Management Console (2313631):<\/u><\/strong>\u00a0Both services can be exploited, generating a\u00a0<strong>Denial Of Service Attack<\/strong>\u00a0in the servers, tagged like this due to its high impact in availability.\u00a0<strong>CVSS v3 Base Score: 7.5 \/ 10<\/strong><\/li>\n<li><strong><u>Denial of service (DOS) in SAP NetWeaver Instance Agent Service (2389181):<\/u><\/strong>\u00a0Same type of bug (<strong>DoS<\/strong>) and conditions as the previous one, but affecting another service.\u00a0<strong>CVSS v3 Base Score: 7.5 \/ 10<\/strong><\/li>\n<li><strong><u>Improved security for outgoing HTTPS connections in SAP NetWeaver (2416119):<\/u><\/strong>\u00a0This note is an update of a March publication that includes more information on how to properly configure\u00a0<strong>HTTPS<\/strong>\u00a0connections securely. It\u2019s worth mentioning that this is a manual note that includes specific manual steps after patch installation. As a result, this could lead to\u00a0<strong>usability issues if the certificates<\/strong>\u00a0are not properly configured before implementation. This is the second month that SAP has published information about this note so we strongly recommend it be patched as soon as possible.\u00a0<strong>CVSS v3 Base Score: 7.4 \/ 10<\/strong><\/li>\n<li><strong><u>Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence HTML interface (2396544):<\/u><\/strong>\u00a0As with any\u00a0<strong>XSS<\/strong>\u00a0bug, if the note is not installed it does not sufficiently control user inputs, resulting in\u00a0<strong>client-side attacks<\/strong>. Despite XSS bugs are usually not critical, this one has high impact in confidentiality, which increases its CVSS Score.\u00a0<strong>CVSS v3 Base Score: 7.1 \/ 10<\/strong><\/li>\n<li><strong><u>Missing certificate verification in CommonCryptoLib (2444321):<\/u><\/strong>\u00a0Finally, there\u2019s another note related to\u00a0<strong>HTTPS certificates validation<\/strong>. In this case, it\u2019s through a third-party tool. This is a manual note that can be solved through the installation of the fixed version of the software that is available in SAP Software Downloads. As with the related bug, after proper installation there could be some issues if there are no trusted certificates installed.\u00a0<strong>CVSS v3 Base Score: 7.0 \/ 10<\/strong><\/li>\n<\/ol>\n<p>For more information about the notes of each month, \u00a0check\u00a0the links above.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SAP\u00a0has issued a total of 74\u00a0notes in the first quarter of 2017. There were\u00a028 notes issued\u00a0in April. One of them as a critical priority (Hot News) and four\u00a0of them as a high priority. The note with critical priority (9,4 of CVSS) affects\u00a0TREX \/ BWA\u00a0[2419592]\u00a0\u00a0for Remote Code Execution. The most prevalent \u00a0note types are \u201cMissing Authoritation&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-6000","post","type-post","status-publish","format-standard","hentry","category-general"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.3 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>SAP Security Notes: Q2 2017 - Inprosec<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SAP Security Notes: Q2 2017\" \/>\n<meta property=\"og:description\" content=\"SAP\u00a0has issued a total of 74\u00a0notes in the first quarter of 2017. There were\u00a028 notes issued\u00a0in April. One of them as a critical priority (Hot News) and four\u00a0of them as a high priority. The note with critical priority (9,4 of CVSS) affects\u00a0TREX \/ BWA\u00a0[2419592]\u00a0\u00a0for Remote Code Execution. The most prevalent \u00a0note types are \u201cMissing Authoritation...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/\" \/>\n<meta property=\"og:site_name\" content=\"Inprosec\" \/>\n<meta property=\"article:published_time\" content=\"2017-07-11T08:00:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-22T11:43:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.csinfotech.org\/library\/blogimage\/SAP_patches.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/5b5899cc2de44dac734f58620c63035c\"},\"headline\":\"SAP Security Notes: Q2 2017\",\"datePublished\":\"2017-07-11T08:00:23+00:00\",\"dateModified\":\"2023-05-22T11:43:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/\"},\"wordCount\":732,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.csinfotech.org\\\/library\\\/blogimage\\\/SAP_patches.png\",\"articleSection\":[\"General\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/\",\"name\":\"SAP Security Notes: Q2 2017 - Inprosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.csinfotech.org\\\/library\\\/blogimage\\\/SAP_patches.png\",\"datePublished\":\"2017-07-11T08:00:23+00:00\",\"dateModified\":\"2023-05-22T11:43:48+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/5b5899cc2de44dac734f58620c63035c\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.csinfotech.org\\\/library\\\/blogimage\\\/SAP_patches.png\",\"contentUrl\":\"https:\\\/\\\/www.csinfotech.org\\\/library\\\/blogimage\\\/SAP_patches.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-updates-q2-2017\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SAP Security Notes: Q2 2017\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\",\"name\":\"Inprosec\",\"description\":\"Information security is our priority.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/5b5899cc2de44dac734f58620c63035c\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g\",\"caption\":\"admin\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SAP Security Notes: Q2 2017 - Inprosec","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/","og_locale":"en_US","og_type":"article","og_title":"SAP Security Notes: Q2 2017","og_description":"SAP\u00a0has issued a total of 74\u00a0notes in the first quarter of 2017. There were\u00a028 notes issued\u00a0in April. One of them as a critical priority (Hot News) and four\u00a0of them as a high priority. The note with critical priority (9,4 of CVSS) affects\u00a0TREX \/ BWA\u00a0[2419592]\u00a0\u00a0for Remote Code Execution. The most prevalent \u00a0note types are \u201cMissing Authoritation...","og_url":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/","og_site_name":"Inprosec","article_published_time":"2017-07-11T08:00:23+00:00","article_modified_time":"2023-05-22T11:43:48+00:00","og_image":[{"url":"https:\/\/www.csinfotech.org\/library\/blogimage\/SAP_patches.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/#article","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/"},"author":{"name":"admin","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/5b5899cc2de44dac734f58620c63035c"},"headline":"SAP Security Notes: Q2 2017","datePublished":"2017-07-11T08:00:23+00:00","dateModified":"2023-05-22T11:43:48+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/"},"wordCount":732,"commentCount":0,"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/#primaryimage"},"thumbnailUrl":"https:\/\/www.csinfotech.org\/library\/blogimage\/SAP_patches.png","articleSection":["General"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/","url":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/","name":"SAP Security Notes: Q2 2017 - Inprosec","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/#primaryimage"},"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/#primaryimage"},"thumbnailUrl":"https:\/\/www.csinfotech.org\/library\/blogimage\/SAP_patches.png","datePublished":"2017-07-11T08:00:23+00:00","dateModified":"2023-05-22T11:43:48+00:00","author":{"@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/5b5899cc2de44dac734f58620c63035c"},"breadcrumb":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/#primaryimage","url":"https:\/\/www.csinfotech.org\/library\/blogimage\/SAP_patches.png","contentUrl":"https:\/\/www.csinfotech.org\/library\/blogimage\/SAP_patches.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inprosec.com\/en\/sap-security-updates-q2-2017\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inprosec.com\/en\/"},{"@type":"ListItem","position":2,"name":"SAP Security Notes: Q2 2017"}]},{"@type":"WebSite","@id":"https:\/\/www.inprosec.com\/en\/#website","url":"https:\/\/www.inprosec.com\/en\/","name":"Inprosec","description":"Information security is our priority.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inprosec.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/5b5899cc2de44dac734f58620c63035c","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g","caption":"admin"}}]}},"_links":{"self":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/6000","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/comments?post=6000"}],"version-history":[{"count":1,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/6000\/revisions"}],"predecessor-version":[{"id":9067,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/6000\/revisions\/9067"}],"wp:attachment":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media?parent=6000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/categories?post=6000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/tags?post=6000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}