Headline
CVE-2019-0271: SAP Security Patch Day – March 2019 - Product Security Response at SAP
ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below.
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 12th of March 2019, SAP Security Patch Day saw the release of 9 Security Notes. Additionally, there were 3 updates to previously released security notes.
We would like to inform that the vulnerability fixed by security note 2764283 is expected to be presented by a researcher at a security conference in March 2019. Therefore, we recommend our Customers to apply the SAP Security Note on priority.
List of security notes released on March Patch Day:
Note#
Title
Priority
CVSS
2622660
Update to security note release on April 2018 Patch Day:
**Security updates for the browser control Google Chromium delivered with SAP Business Client
**Product - SAP Business Client; Version - 6.5
Hot News
9.8
2764283
[CVE-2019-0277] XML External Entity vulnerability in SAP HANA extended application services, advanced
Product - SAP HANA Extended Application Services, Versions - 1
High
8.7
2689925
[CVE-2019-0275] **Cross-Site Scripting (XSS) Vulnerability in SAP NW SAML 1.1 SSO Demo App
**Product - SAP NetWeaver Java Application Server (J2EE-APPS), Versions - 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50
High
7.6
2736825
[CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP ServerProduct - ABAP Server (used in NetWeaver and Suite/ERP), Version - Using Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31, Using Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform
Medium
6.5
2727689
[CVE-2019-0270] Missing Authorization check in ABAP Server of SAP NetWeaver
Product - ABAP Server of SAP NetWeaver and ABAP Platform; Versions - KRNL32NUC 7.21, KRNL32NUC 7.21EXT, KRNL32NUC 7.22, KRNL32NUC 7.22EXT, KRNL32UC 7.21, KRNL32UC 7.21EXT, KRNL32UC 7.22, KRNL32UC 7.22EXT, KRNL64NUC 7.21, KRNL64NUC 7.21EXT, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, KRNL64NUC 7.49, KRNL64NUC 7.74, KRNL64UC 7.21, KRNL64UC 7.21EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.49, KRNL64UC 7.73, KRNL64UC 7.74, KRNL64UC 8.04, KERNEL 7.21, KERNEL 7.45, KERNEL 7.49, KERNEL 7.53, KERNEL 7.73, KERNEL 7.74, KERNEL 7.75, KERNEL 8.04
Medium
6.3
2729710
Update to security note release on February 2019 Patch Day:
[CVE-2019-0265] **XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform
**Product - ABAP Platform (SLD Registration), Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73; KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75
Medium
6
2753497
[CVE-2019-0274] Denial of service (DOS) in SAP Work and Inventory ManagerProduct - SAP Mobile Platform SDK, Versions - upgrade to SMP Mobile Platform SDK 3.1 SP03 PL02, SDK 3.1 SP04, or later
Medium
5.5
2693962
[CVE-2019-0269] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects BIWorkspace
Product - SAP BusinessObjects Business Intelligence Platform (BI Workspace), Version - 4.10, 4.20
Medium
5.4
2689259
[CVE-2019-0268] Missing XML Validation vulnerability in SAP BusinessObjects BI Platform CMC moduleProduct - SAP BusinessObjects Business Intelligence Platform (CMC Module), Version - 4.10, 4.20, 4.30
Medium
5.4
2732527
**Potential Oracle attack on OPC UA server in SAP Plant Connectivity
**Related CVE: CVE-2018-7559
Product - SAP Plant Connectivity, Versions - 15.1, 15.2
Medium
5.3
2662687
Update to security note release on January 2019 Patch Day:
[CVE-2018-2484] Missing Authorization check in SAP Enterprise Financial Services
Product - SAP Enterprise Financial Services, Versions - SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03;
EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20
Medium
4.3
2754235
[CVE-2019-0276] **Inadequate Authorization check in Banking services from SAP and SAP S/4HANA Financial Products Subledger
**Product - FSAPPL, Version - 5; Product - S4FPSL, Version 1; Product - Banking services from SAP, Version - 9.0
Medium
4.3
________________________________________________________________________________
Security Notes vs Vulnerability Types - March 2019
Security Notes vs Priority Distribution (October 2018 – March 2019)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after February 12, 2019, go to Launchpad Expert Search → Filter ‘SAP Security Notes’ released between ‘Feb 12, 2019 - Mar 12, 2019’ → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page
Do write to us at [email protected] with all your comments and feedback on this blog post.
SAP Product Security Response Team