SAP Security Notes June 2017

On the 13th of June 2017, SAP released its monthly set of SAP Security Notes consisting of 29 patches.

To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security Notes. This analysis comes in handy for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing.

SAP Security Notes June 2017 in review

June’s set of security patches includes 29 SAP Security Notes Notes (21 SAP Security Patch Day Notes and 8 Support Package Notes). 5 of them are updates to previously released Security Notes.

5 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the closed vulnerabilities is 7.5 .

SAP Security Notes Distribution by priority

Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.

SAP Security Notes Distribution by stack

The most common vulnerability type is XSS.

SAP Security Notes Distribution by vulnerability type

Priority vs. Application type distribution

The fact that SAP Systems are complex is a common place. Nonetheless, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table demonstrating a distribution between priority and application area.

Hot News High Medium Low
Enterprise Performance Management 2422292
2457269
2429693
Business intelligence solutions 2313631
2396544
2419559
2419524
Basis Components 2444321
2389181
2416119
2425129
2445071
2430022
2445033
2405943
2427292
2423429
2189781
2423486
2374661
2316723
Enterprise information management solutions 2472026
Supply Chain Management 2457909
Cross-Application Components 2373032 2185122
SAP Business Information Warehouse 2389764
Environment, Health and Safety 1816886
Customer Relationship Management 2236654
Financial Accounting 2462813

The most critical issues of SAP Security Notes June 2017

The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • A Denial of service vulnerability in SAP NetWeaver Instance Agent Service (CVSS Base Score: 7.5). Update is available in SAP Security Note 2389181. An attacker can exploit a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation.
  • 2313631: BILaunchPad and Central Management Console has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can exploit a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2396544: SAP BusinessObjects Web Intelligence HTML interface has a Cross-Site Scripting vulnerability (CVSS Base Score: 7.1). An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.

Do you want more?

Subscribe me to your mailing list