On the 10th of September 2019, SAP Security Patch Day saw the release of 12 Security Notes.
Notes by severity
|Correction with high priority||1|
|Correction with medium priority||7|
|Correction with low priority||1|
On September Patch Day SAP presents 3 HotNews Security Notes and 1 high-severity Note.
Starting with the first HotNews Note 2808158 – OS Command Injection vulnerability in SAP Diagnostics Agent – with a CVSS Score of 9.1. A vulnerability was discovered that enables the execution of arbitrary code. This note corrects these additional instances since the earlier adjustment did not address them all. Since the vulnerability was discovered in one of the essential components of Solution Manager, patches or the notice should be deployed right away. Another Note represents this vulnerability – 2823733 – An it is the “Update 1”, to replace the recommendations of the original Note.
The next Note is 2798336 – Code Injection vulnerability in SAP NetWeaver AS for Java(Web Container) – with a CVSS Score of 9.1. An attacker can inject code into the Java Web Container of the application server, which the application can then run. Hence, an attacker could command how the application behaved.
The last Note to describe is 2817491 – Multiple security vulnerabilities in SAP HANA Extended Application Services (Advanced Model) – with a CVSS Score of 7.7. This note addresses multiple vulnerabilities in SAP HANA Extended Application Services such as Denial of Service (DOS) and Internal Port Scanning.