SAP has issued a total of 74 notes in the first quarter of 2017.
- There were 28 notes issued in April. One of them as a critical priority (Hot News) and four of them as a high priority. The note with critical priority (9,4 of CVSS) affects TREX / BWA  for Remote Code Execution. The most prevalent note types are “Missing Authoritation Check”, “XML Data Validation Error” and “Cross-Site-Scripting-XSS”.
- There were 17 notes issued in May. Only one of them as high priority while the other 16 had medium or low priority. The high priority note affect does not affect SAP directly but a component of Internet Graphic Server (IGS). Most of the notes apply to ABAP Netweaver, and the most prevalent types are “Missing Authoritation Check” and “Cross-Site-Scripting-XSS”.
- There were 29 notes issued in June, 5 of them as high priority whereas the rest as medium priority. The high priority notes were related with BILaunchPad, Central Management Consoled, SAP NetWeaver Instance Agent Service and Cross-Site-Scripting-XSS
The more relevant security updates in this quarter were:
- Unauthorized usage of application functionality (1450166): several components were patched to prevent client-side web attacks such as Cross-Site Request Forgery. After proper installation of the suggested Support Packages, a new XSRF Protection Framework will be added to the systems. Over 20 older SAP Security Notes are referenced in this note and are impacted by this new framework. CVSS v3 Base Score: not disclosed.
- Missing XML Validation vulnerability in Web Dynpro Flash Island (2410082): this component is not properly validating XML documents and this could lead to arbitrary file retrieval from the server or even denial-of-service attacks. CVSS v3 Base Score: 7.5 / 10
- Security vulnerabilities in SAPLPD (2421287): Security vulnerabilities were found in this component which was used for printing on Microsoft Windows. Since there are newer and more secure printing options, SAP recommends to switch to Frontend Print or Backend Print rather than upgrading this component (only allowed if there are compatibility issues). CVSS v3 Base Score: 7.5 / 10
- SQL Injection vulnerability in Database Monitors for Oracle (2319506): updated in note #2418823, support packages correct an SQL Injection attack in the database layer. CVSS v3 Base Score: 7.2 / 10.
- Memory Corruption Vulnerability in IGS (2380277): details how an attacker can update a library component that is being used by Internet Graphics Server (IGS). This bug has been vulnerable for the last year. However, despite that the bug has been present for a while, it is pretty easy to solve and there aren’t any reports detailing that it has been widely exploited in the wild. Other software companies such as Oracle and RedHat had the same library and updated it in 2016.
- Denial of service (DOS) in BILaunchPad and Central Management Console (2313631): Both services can be exploited, generating a Denial Of Service Attack in the servers, tagged like this due to its high impact in availability. CVSS v3 Base Score: 7.5 / 10
- Denial of service (DOS) in SAP NetWeaver Instance Agent Service (2389181): Same type of bug (DoS) and conditions as the previous one, but affecting another service. CVSS v3 Base Score: 7.5 / 10
- Improved security for outgoing HTTPS connections in SAP NetWeaver (2416119): This note is an update of a March publication that includes more information on how to properly configure HTTPS connections securely. It’s worth mentioning that this is a manual note that includes specific manual steps after patch installation. As a result, this could lead to usability issues if the certificates are not properly configured before implementation. This is the second month that SAP has published information about this note so we strongly recommend it be patched as soon as possible. CVSS v3 Base Score: 7.4 / 10
- Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence HTML interface (2396544): As with any XSS bug, if the note is not installed it does not sufficiently control user inputs, resulting in client-side attacks. Despite XSS bugs are usually not critical, this one has high impact in confidentiality, which increases its CVSS Score. CVSS v3 Base Score: 7.1 / 10
- Missing certificate verification in CommonCryptoLib (2444321): Finally, there’s another note related to HTTPS certificates validation. In this case, it’s through a third-party tool. This is a manual note that can be solved through the installation of the fixed version of the software that is available in SAP Software Downloads. As with the related bug, after proper installation there could be some issues if there are no trusted certificates installed. CVSS v3 Base Score: 7.0 / 10
For more information about the notes of each month, check the links above.