SAP Security Patch Day – June 2020

SAP security Patch day

On the 9th of June 2020 the SAP Product Security Response Team released 18 patches out of which 1 contains an update from a previous release. Every second Tuesday of the month the team publishes corrections and recommendations, which fix known vulnerabilities discovered within SAP products.

For all companies using the SAP Liquidity Management for Banking note 2928570 (Hot News, CVSS 9.8) should be carefully reviewed. The note describes the need to adjust the used ports exploited by Apache Tomcat AJP Vulnerability codenamed ‘Ghostcat'(CVE-2020-1938).

Next to the previous patch, also a Missing Authorization check in SAP Netweaver AS ABAP (Banking Services) shall be implemented by SAP customers in the Finance or Banking industry sector.

Missing or insufficient authority checks are still a very common security vulnerability, also within custom code. Make use of the best-of-breed Code Vulnerability Analyzer for SAP, to identify and mitigate zero day vulnerabilities before attackers identify and exploit them.

Due to hard-coded Credentials in SAP Commerce and SAP Commerce Datahub note 2918924 needs to be implemented. 

Summary by Severity

The June release contains a total of 18 patches for the following severities:

Severity Number
Hot News
2
High
4
Medium
12
Note Description Severity CVSS
2928570 'Ghostcat' Apache Tomcat AJP Vulnerability in SAP Liquidity Management for BankingRelated CVE - CVE-2020-1938
Product - SAP Liquidity Management for Banking; Version - 6.2
Hot News
9.8
2918924 [CVE-2020-6265] Use of Hard-coded Credentials in SAP Commerce and SAP Commerce Datahub
Product - SAP Commerce; Version - 6.7, 1808, 1811, 1905
Product - SAP Commerce (Data Hub); Versions -  6.7, 1808, 1811, 1905 
Hot News
9.8
2906366 [CVE-2020-6264] Information Disclosure in SAP Commerce
Product - SAP Commerce; Versions - 6.7, 1808, 1811, 1905
High
8.6
2931391 [CVE-2020-6271] Missing XML Validation in SAP Solution Manager (Problem Context Manager)
Product - SAP Solution Manager (Problem Context Manager); Version - 7.2
High
8.1
2933282 [CVE-2020-6279] Missing Authorization Check in SAP SuccessFactors Recruitment Management
Product - SAP SuccessFactors Recruiting; Versions - 2005
High
8.1
2912939 [CVE-2020-6275] Server Side Request Forgery vulnerability in SAP NetWeaver AS ABAP
Product - SAP Netweaver AS ABAP; Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 
High
7.6
2878568 [CVE-2020-6263] Authentication Bypass in Standalone Clients connecting to SAP NetWeaver AS Java via P4 Protocol
Product - SAP NetWeaver AS JAVA (P4 Protocol); Versions -SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium
6.9
2916562 [CVE-2020-6270] Missing Authorization check in SAP Netweaver AS ABAP (Banking Services)
Product - SAP NetWeaver AS ABAP (Banking Services); Versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E  
Medium
6.5
2915126 [CVE-2020-6260] Incomplete XML Validation in SAP Solution Manager (Trace Analysis)
Product - SAP Solution Manager (Trace Analysis); Version - 7.20
Medium
6.5
2918762 Multiple vulnerabilities in Adobe LiveCycle Designer 11.0Related CVEs - CVE-2018-1000632, CVE-2019-17571
Component - Adobe LiveCycle Designer; Version - 11.0
Medium
6.5
2878935 [CVE-2020-6246] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP ( Business Server Pages Test Application SBSPEXT_TABLE)
Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE); Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754   
Medium
6.1
2911704 [CVE-2020-6266] URL redirection in SAP Fiori for SAP S/4HANA
Product - SAP Fiori for SAP S/4HANA; Versions - 200, 300, 400, 500  
Medium
5.4
2911687 [CVE-2020-6266] URL redirection in SAP Fiori for SAP S/4HANA
Product - SAP Fiori for SAP S/4HANA; Versions - 200, 300, 400, 500  
Medium
5.4
2906996 [CVE-2020-6268] Missing authorization check in SAP ERP (Statutory Reporting for Insurance Companies)
Product - SAP ERP (Statutory Reporting for Insurance Companies); Versions - EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618, 800; S4CORE 101, 102, 103, 104 
Medium
5.4
2908382 [CVE-2020-6239] Information Disclosure in SAP Business One (Backup Service)
Product - SAP Business One (Backup service); Versions - 9.3, 10.0  
Medium
4.4
2752614 Update to Security Note released on July 2019 Patch Day:[CVE-2019-0319] Content Injection Vulnerability in SAP Gateway
Product - SAP Gateway; Versions - 7.5, 7.51, 7.52 and 7.53
Medium
4.3
2911267 Update 1 to Security Note 2752614 - [CVE-2019-0319] Content Injection Vulnerability in SAP Gateway
Product - SAP Gateway; Versions - 7.40, 2.00
Medium
4.3
2905836 [CVE-2020-6269] Information Disclosure in SAP Business Objects Business Intelligence Platform
Product - SAP Business Objects Business Intelligence Platform; Version - 4.2
Medium
4.3

Source

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email

Download the Product Comparison Report and understand that holistic security for SAP can be delivered by a single solution.

SAP Security Comparison Report
Find recent Security Advisories for SAP©
Webinar SAP patch
The webinar, taking place on 05.10.2022, is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.