Friday, 17 January 2020 14:44

SAP Patchday January 2020 Featured

14th of January 2020, Security Patch Day, SAP released six new Security Notes and one update to a previously released note.

Highlights

A Cross-Site Scripting (XSS) vulnerabily in the REST adapter of SAP PI was addressed. This is especially relevant for clients that make use of the REST adapater. 3 of the 6 Security Notes are dealing with missing authorization checks. For clients that have active use-cases running FIORI, note 2843016 should be reviewed. The vulnerability allows an attacker to manipulate content due to insufficient URL validation.

Summary by Severity

The January release contains a total of 6 patches:

SeverityNumber
Hot News
0
High
0
Medium
6
NoteDescriptionSeverityCVSS
2863743 [CVE-2020-6305] Cross-Site Scripting (XSS) vulnerability in Rest Adapter of SAP Process Integration
Product - SAP Process Integration - Rest Adapter (SAP_XIAF), Version - 7.31, 7.40, 7.50 
Medium
6.1
2848498 [CVE-2020-6304] Denial of service (DOS) in SAP NetWeaver Internet Communication Manager
Product - SAP NetWeaver Internet Communication Manager, Versions - KRNL32NUC & KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT KRNL64NUC & KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49  KERNEL 7.21, 7.22, 7.49, 7.53 
Medium
5.9
2845401 Missing Authorization check in Realtech RTCISM 100
Product - RTCISM, Version - 100
Medium
5.4
2772325 [CVE-2020-6303] Improper input validation in SAP Disclosure Management
Product - SAP Disclosure Management, Version - 10.1
Medium
5.4
2863397 [CVE-2020-6307] Missing Authorization Check in Automated Note Search Tool (SAP_BASIS)
Product - Automated Note Search Tool (SAP Basis), Versions - 7.0, 7.01,7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54 
Medium
4.3
2843016 [CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler
Product - SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54
Product - SAP UI 700, Versions - 2.0
Medium
4.3
2865348 [CVE-2020-6306] Missing Authorization check in SAP Leasing
Product - SAP Leasing, Versions - (SAP_Appl) 6.18, (EA_Appl) 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16 and 6.17 
Low
2.7 

Source

Additional Info

  • Language:: English