- June 16, 2020
SAP Security Patch Day – June 2020
On the 9th of June 2020 the SAP Product Security Response Team released 18 patches out of which 1 contains an update from a previous release. Every second Tuesday of the month the team publishes corrections and recommendations, which fix known vulnerabilities discovered within SAP products.
For all companies using the SAP Liquidity Management for Banking note 2928570 (Hot News, CVSS 9.8) should be carefully reviewed. The note describes the need to adjust the used ports exploited by Apache Tomcat AJP Vulnerability codenamed ‘Ghostcat'(CVE-2020-1938).
Next to the previous patch, also a Missing Authorization check in SAP Netweaver AS ABAP (Banking Services) shall be implemented by SAP customers in the Finance or Banking industry sector.
Missing or insufficient authority checks are still a very common security vulnerability, also within custom code. Make use of the best-of-breed Code Vulnerability Analyzer for SAP, to identify and mitigate zero day vulnerabilities before attackers identify and exploit them.
Due to hard-coded Credentials in SAP Commerce and SAP Commerce Datahub note 2918924 needs to be implemented.
Summary by Severity
The June release contains a total of 18 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
2 |
|
High
|
4 |
|
Medium
|
12 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 2928570 | 'Ghostcat' Apache Tomcat
AJP Vulnerability in SAP Liquidity Management for BankingRelated CVE - CVE-2020-1938 Product - SAP Liquidity Management for Banking; Version - 6.2 |
Hot News
|
9.8 |
| 2918924 | [CVE-2020-6265] Use of
Hard-coded Credentials in SAP Commerce and SAP Commerce Datahub Product - SAP Commerce; Version - 6.7, 1808, 1811, 1905 Product - SAP Commerce (Data Hub); Versions - 6.7, 1808, 1811, 1905 |
Hot News
|
9.8 |
| 2906366 | [CVE-2020-6264]
Information Disclosure in SAP Commerce Product - SAP Commerce; Versions - 6.7, 1808, 1811, 1905 |
High
|
8.6 |
| 2931391 | [CVE-2020-6271] Missing
XML Validation in SAP Solution Manager (Problem Context Manager) Product - SAP Solution Manager (Problem Context Manager); Version - 7.2 |
High
|
8.1 |
| 2933282 | [CVE-2020-6279] Missing
Authorization Check in SAP SuccessFactors Recruitment Management Product - SAP SuccessFactors Recruiting; Versions - 2005 |
High
|
8.1 |
| 2912939 | [CVE-2020-6275] Server
Side Request Forgery vulnerability in SAP NetWeaver AS ABAP Product - SAP Netweaver AS ABAP; Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 |
High
|
7.6 |
| 2878568 | [CVE-2020-6263]
Authentication Bypass in Standalone Clients connecting to SAP NetWeaver AS Java via P4
Protocol Product - SAP NetWeaver AS JAVA (P4 Protocol); Versions -SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium
|
6.9 |
| 2916562 | [CVE-2020-6270] Missing
Authorization check in SAP Netweaver AS ABAP (Banking Services) Product - SAP NetWeaver AS ABAP (Banking Services); Versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E |
Medium
|
6.5 |
| 2915126 | [CVE-2020-6260] Incomplete
XML Validation in SAP Solution Manager (Trace Analysis) Product - SAP Solution Manager (Trace Analysis); Version - 7.20 |
Medium
|
6.5 |
| 2918762 | Multiple vulnerabilities
in Adobe LiveCycle Designer 11.0Related CVEs - CVE-2018-1000632, CVE-2019-17571 Component - Adobe LiveCycle Designer; Version - 11.0 |
Medium
|
6.5 |
| 2878935 | [CVE-2020-6246] Cross-Site
Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP ( Business Server Pages Test Application
SBSPEXT_TABLE) Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE); Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 |
Medium
|
6.1 |
| 2911704 | [CVE-2020-6266] URL
redirection in SAP Fiori for SAP S/4HANA Product - SAP Fiori for SAP S/4HANA; Versions - 200, 300, 400, 500 |
Medium
|
5.4 |
| 2911687 | [CVE-2020-6266] URL
redirection in SAP Fiori for SAP S/4HANA Product - SAP Fiori for SAP S/4HANA; Versions - 200, 300, 400, 500 |
Medium
|
5.4 |
| 2906996 | [CVE-2020-6268] Missing
authorization check in SAP ERP (Statutory Reporting for Insurance Companies) Product - SAP ERP (Statutory Reporting for Insurance Companies); Versions - EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618, 800; S4CORE 101, 102, 103, 104 |
Medium
|
5.4 |
| 2908382 | [CVE-2020-6239]
Information Disclosure in SAP Business One (Backup Service) Product - SAP Business One (Backup service); Versions - 9.3, 10.0 |
Medium
|
4.4 |
| 2752614 | Update to Security Note
released on July 2019 Patch Day:[CVE-2019-0319] Content Injection Vulnerability in SAP
Gateway Product - SAP Gateway; Versions - 7.5, 7.51, 7.52 and 7.53 |
Medium
|
4.3 |
| 2911267 | Update 1 to Security Note
2752614 - [CVE-2019-0319] Content Injection Vulnerability in SAP Gateway Product - SAP Gateway; Versions - 7.40, 2.00 |
Medium
|
4.3 |
| 2905836 | [CVE-2020-6269]
Information Disclosure in SAP Business Objects Business Intelligence Platform Product - SAP Business Objects Business Intelligence Platform; Version - 4.2 |
Medium
|
4.3 |
Download the Product Comparison Report and understand that holistic security for SAP can be delivered by a single solution.
Find recent Security Advisories for SAP©
Recent posts
PASàPAS will continue to leverage and install the SecurityBridge platform for SAP to help more SME organizations understand and mitigate SAP Security risks.
Events
Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem.
Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen.
Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.
SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability.
In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.
