On the 9th of April 2019, SAP Security Patch Day saw the release of 8 Security Notes.
Notes by severity
|Correction with high priority||1|
|Correction with medium priority||6|
|Correction with low priority||0|
On April Patch Day SAP presents 1 HotNews Security Note and 1 high-severity Note.
Starting with the first HotNews Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 9.9. This security note addresses various flaws in the Chromium third-party web browser control, which is a component of the SAP Business Client. This message will be updated on a regular basis in accordance with Chromium’s open source web browser releases.
The last is high-severity Note 2747683 – SAP NetWeaver Process Integration (Adapter Engine) vulnerable to Digital Signature Spoofing – with a CVSS Score of 7.1. By using the PI Axis adapter, it is possible to forge XML signatures and make arbitrary queries to the server. Even if the payload has been changed, the PI Axis adapter will still accept these requests, especially if the signed element is the body of the XML file.