On the 8th of October 2019, SAP Security Patch Day saw the release of 7 Security Notes.
Notes by severity
|Correction with high priority||1|
|Correction with medium priority||4|
|Correction with low priority||0|
On October Patch Day SAP presents 2 HotNews Security Notes and 1 high-severity Note.
Starting with the first HotNews Note 2826015 – Missing Authentication Check in AS2 Adapter of B2B Add-On for SAP NetWeaver Process Integration – with a CVSS Score of 9.3. This vulnerability, which exclusively affects the B2B Add On for PI, permits access to privileged or administrative activities because some features’ authorization checks do not require user identity. Although the note’s recommendations for changing system parameters can result in immediate risk mitigation, the solution involves using the most recent support package.
The next HotNews Note is 2828682 – Information Disclosure vulnerability in SAP Landscape Management Enterprise – with a CVSS Score of 9.1. LVM (LaMa) connectivity may be manipulated into returning more data that would not otherwise be allowed. In addition to some manual procedures described in the note, the solution entails applying the new patch for the component.
The last is high-severity Note 2792430 – Binary Planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering – with s CVSS Score of 7.8. A user with access to the system could modify the file search algorithm in systems using SAP’s SQL Anywhere, IQ, or Dynamic Tiering as part of a SAP HANA deployment to reveal directories outside the path set by the user. To resolve this issue, you must implement the most recent support packages as described in the note.