SAP released the April 2018 Security Patch Day, a collection of ten security patches that also address critical vulnerabilities in web browser controls in SAP Business Client.

SAP also released 2 updates to previously released security notes, one note was rated Hot News, 4 were rated High Priority, and 7 were rated Medium Priority.

The most common vulnerability type is Implementation Flaw.

April 2018 Security Patch Day

Below the list of security notes released on the April 2018 Security Patch Day:

Note# Title Priority CVSS
2622660 Security updates for web browser controls delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5
Hot News 9.8
2587985 Denial of Service (DOS) in SAP Business One
Related CVE – CVE-2017-7668
Product – SAP Business One, Versions – 9.2, 9.3
High 7.5
2376081 Update to Security Note released on August 2017 Patch Day: Code Injection vulnerability in Visual Composer 04s iviews
Product – SAP Visual Composer, Versions – 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2552318 Update 1 to Security Note 2376081
Product – SAP Visual Composer, Versions – 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2537150 [CVE-2018-2408Improper Session Management in SAP Business Objects – CMC/BI Launchpad/Fiorified BI Launchpad
Product – SAP Business Objects
Versions – 4.0, from 4.10, from 4.20, 4.30
High 7.3
2614141 [CVE-2018-2409Improper session management when using SAP CP Connectivity Service and Cloud Connector
Product – SAP Cloud Platform Connector
Version – 2.0
Medium 6.3
2595800 [CVE-2018-2403Multiple Security Vulnerabilities in SAP Disclosure Management
Related CVEs – CVE-2018-2404CVE-2018-2412CVE-2018-2413
Product – SAP Disclosure Management
Version – 10.1
Medium 5.4
2372688 [CVE-2018-2405] Cross-Site Scripting in Solution Manager Incident Management Workcenter
Product – SAP Solution Manager
Versions – 7.10, 7.20
Medium 5.4
2582870 [CVE-2018-2410Cross-Site Scripting (XSS) Vulnerability in SAP Business One Browser Access
Product – SAP Business One
Version – 9.20, 9.30
Medium 5.4
2201710 Update to Security Note released on September 2015 Patch Day:Fixing Logjam and Alternative chains certificate forgery vulnerabilities in multiple SAP products
Product – Sybase PowerBuilder, Version – 12.6
Product – SMP, Version – 2.3
Product – Agentry, Version – 6.0
Product – SAP Open Switch, Version – 15.1
Product – SAP Open Server, Versions – 15.7, 16.0
Product – SDK for SAP ASE, Version – 16.0
Product – SYBASE SOFTWARE DEV KIT, Version – 15.7
Product – SYBASE IQ, Version – 15.4
Product – SAP IQ, Version – 16.0
Product – Sybase SQL Anywhere, Versions – 12.0.1, 16.0
Product – SAP SQL Anywhere, Version – 17.0
Product – SAP SQL Anywhere OnDemand, Version – 1.0
Product – SAP ASE, Versions – 15.7, 16.0
Product – SAP Replication Server, Version – 15.7
Product – SYBASE ECDA, Version – 15.7
Product – SAP HANA Smart Data Streaming, Version – 1.0
Product – SAP Complex Assembly Manufacturing, Version – 7.2
Product – SAP Data Services, Version – 4.2
Medium 5.4
2560132 [CVE-2018-2406Unquoted windows search path vulnerability in Crystal Reports Server, OEM Edition
Product – SAP Crystal Reports Server, OEM Edition
Versions – 4.0, 4.10, 4.20, 4.30
Medium 5.3
2598687 Missing XML Validation vulnerability in SAP Control Center and SAP Cockpit Framework
Related CVE – CVE-2009-3960
Product – SAP Control Center and SAP Cockpit Framework
Medium 4.3

The most severe note, tracked as 2622660, addresses multiple issues in the web browser controls used to display pages in SAP Business Client 6.5 PL5. The vulnerabilities affect the browser controls for Microsoft’s Internet Explorer (IE) and the open source Chromium.

“The bugs concern vulnerabilities in web browser controls that are used to display pages in SAP Business Client 6.5 PL5. Web browser controls are programmable building blocks that software developers use to embed web pages in their applications.” reads the analysis of the Onapsis firm.

“The latter has been determined to show multiple weaknesses like memory corruption, information disclosure and more. Although the SAP note does not explicitly mention it, similar security flaws can be expected for IE,”

The April 2018 Security Patch Day also addresses a DoS flaw, tracked as CVE-2017-7668, in SAP Business One.

“An attacker can use Denial of service vulnerability for terminating a process of a vulnerable component.” reads the analysis published by the firm ERPScan. “For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result. Install this SAP Security Note to prevent the risks.”

SAP also fixed an improper session management (CVE-2018-2408) affecting SAP Business Objects.

SAP also addressed a code injection vulnerability in SAP Visual Composer that could be exploited by attackers to inject code into the back-end application by sending a specially crafted HTTP GET request to the Visual Composer.


Pierluigi Paganini

(Security Affairs – April 2018 Security Patch Day, SAP)

The post SAP April 2018 Security Patch Day address critical flaws in web browser controls in SAP Business Client appeared first on Security Affairs.