SAP released 33 patches in the month of April, of which 5 were considered critical. Below are the critical Security Notes that should be applied:
- SAP Notes 1647225 and 1675432 which address missing authorization checks in components of Business Objects Data Services (EIM-DS) and the SAP Classification System (CA-CL).
- SAP Note 1651004 is designed to protect the UME from cross-frame scripting (XFS) attacks that could be used to the steal the logon credentials of SAP users.
- SAP Note 1652803 which fixes a Denial of Service (DoS) vulnerability in certain versions of Apache Tomcat bundled with Business Objects Enterprise
- SAP Note 1657200 which is designed to patch a flaw in an SAP component responsible for managing payment cards, and the injection vulnerability patched by 1638596.
Read more about the SAP Security Notes Advisory and the possible identified issues in this Layerseven Security article.