Thursday, 23 April 2020 11:30

SAP Patchday April 2020 Featured

Just in time for the SAP Patchday, which is scheduled every second Tuesday in a month, SAP published 23 security advisories on April 14. The release also contains 3 updates of previously published SAP Notes. The Patchday in April 2020 shows again that SAP takes the security of its vast product portfolio very serious.

We advice you to make it a regular habit to check every SAP Patchday. While reviewing the fixes, try to prioritize the implementation by understanding the risk of each vulnerability to your individual SAP landscape and setup. Software products created by SAP SE build the backbone for critical infrastructure and supply-chains. In consequence it would be fatal to underestimate the impact of downtime due to a security flaw for which a patch was made available by SAP.

Highlights

Out of 5 Hot News notes, 1 has received an update.

According to our security experts, special attention should be paid to Hot News notes 2896682, which allows attackers to exploit a Directory Traversal vulnerability in SAP NetWeaver (Knowledge Management).

Although not classified as a hot news, due to the complexity and effort needed for an attacker to use the vulnerability, we do recommend to check SNote 2902645 that resolves an Privilege Escalation vulnerability in SAP Host Agent on Version 7.21

Summary by Severity

The April release contains a total of 26 patches for the following severities:

Severity Number
Hot News
5
High
5
Medium
16
Note Description Severity CVSS
2904480 [CVE-2020-6238] Missing XML Validation vulnerability in SAP Commerce
Product - SAP Commerce, Version - 6.6, 6.7, 1808, 1811, 1905 
Hot News
9.3
2839864 Update to Security Note released on November 2019 Patch Day:Update 2 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Versions - 7.20
Hot News
9.1
2896682 [CVE-2020-6225] Directory Traversal vulnerability in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management), Version - KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50; KMC-WPC – 7.30, 7.31, 7.40, 7.50 
Hot News
9.1
2863731 [CVE-2020-6219] Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer)
Product - SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), Versions - 4.1, 4.2 
Hot News
9.1
2900118 [CVE-2020-6230] Code Injection vulnerability in SAP OrientDB 3.0
Product - SAP OrientDB, Version - 3.0
Hot News
9.1
2906994 [CVE-2020-6235] Missing authentication check in SAP Solution Manager (Diagnostics Agent)
Product -  SAP Solution Manager (Diagnostics Agent), Version - 7.2 
High
8.6
2861301 Update to Security Note released on March 2020 Patch Day:[CVE-2020-6208] Remote Code Execution in SAP Business Objects Business Intelligence Platform (Crystal Reports)
Product - SAP Business Objects Business Intelligence Platform (Crystal Reports), Versions - 4.1, 4.2, 4.3
High
8.1 
2898077 [CVE-2020-6237] Information Disclosure in SAP Business Objects Business Intelligence Platform (dswsbobje Web Application)
Product - SAP Business Objects Business Intelligence Platform, Versions - 4.1, 4.2 
High
7.5
2902645 [CVE-2020-6234] Privilege Escalation in SAP Host Agent
Product - SAP Host Agent, Version - 7.21 
High
7.2
2902456 [CVE-2020-6236] Privilege Escalation in SAP Landscape Management 3.0/SAP Adaptive Extensions
Product - SAP Landscape Management, Version - 3.0
Product - SAP Adaptive Extensions, Version - 1.0
High
7.2
2878507 [CVE-2020-6195] Multiple vulnerabilities in SAP Business Objects Business Intelligence PlatformAdditional CVEs: CVE-2020-6220, CVE-2020-6218, CVE-2020-6211, CVE-2020-6223, CVE-2020-6221
Product - SAP Business Objects Business Intelligence Platform, Versions - 4.1, 4.2  
Medium
6.4
2864966 [CVE-2020-6212] Missing Authorization Check in SAP ERP & S/4 HANA (Egypt localized Withholding Tax reports)
Product - SAP ERP, Versions - 618, 730, EAPPLGLO 607 
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104 
Medium
6.3
2826528 [CVE-2020-6224] Information Disclosure in SAP NetWeaver Application Server Java (HTTP Service)
Product - SAP NetWeaver AS Java (HTTP Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium
6.2
2876059 [CVE-2020-6216] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BILaunchpad/ Opendocument)
Product - SAP Business Objects Business Intelligence Platform (BI Launchpad), Versions -  4.2
Medium
6.1
2872782 [CVE-2020-6215] Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad
Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application IT00) , Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 
Medium
6.1
2872752 [CVE-2020-6213] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP(Business Server Pages Test Application SBSPEXT_PHTMLB)
Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_PHTMLB), Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 
Medium
6.1
2872545 [CVE-2020-6217] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages Test Application IT05)
Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application IT05), Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 
Medium
6.1
2900374 [CVE-2020-6229] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME)
Product - SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E
Medium
6.1
2879132 [CVE-2020-6226] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface)Additional CVE: CVE-2020-6231
Product - SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface) , Version - 4.2
Medium
5.4
2880804 [CVE-2020-6222] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) , Versions - 4.1, 4.2 
Medium
5.4
2866752 [CVE-2020-6228] Missing Integrity Check in SAP BUSINESS CLIENT
Product - SAP Business Client, Versions - 6.5, 7.0 
Medium
5.3
2863396 [CVE-2020-6227] Remote unauthenticated log injection in SAP Business Objects Business Intelligence Platform (CMS / Auditing issues)
Product - SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), Version - 4.2
Medium
5.3
2888556 [CVE-2020-6232] Missing Authorization check in SAP Commerce
Product - SAP Commerce, Versions - 1811, 1905 
Medium
5.3
2864462 Update to Security Note released on March 2020 Patch Day:[CVE-2020-6210] Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad
Product - SAP Fiori Launchpad, Versions - 753, 754
Medium
4.7
2897612 [CVE-2020-6214] Incorrect Authorization in SAP S/4HANA (Financial Products Subledger)
Product - SAP S/4HANA (Financial Products Subledger), Versions - 100
Medium
4.7
2904796 [CVE-2020-6233] Missing Authorization Check in SAP S/4 HANA (Financial Products Subledger and Banking Services)
Product - SAP S/4 HANA (Financial Products Subledger and Banking Services), Versions - FSAPPL 400, 450, 500; S4FPSL 100 
Medium
4.3

Source

Additional Info

  • Language:: English