Tuesday, 11 February 2020 15:08

SAP Patchday February 2020 Featured

On 11th of February 2020, the Security Response team has released security related corrections. On this page we inform you about the highlights.

Highlights

After a rather quiet start into the new year 2020 in the January release, SAP SE obviously had some catching up to do. The following month of February, 15 security updates were released. Among the releases were 3 updates from previous patchdays.

The already known vulnerability in the Google Chromium of the NetWeaver Business Client has been updated again. The vulnerability is still rated as "Hot News" because it poses the following risks

  • system information disclosure or system crash in worst cases
  • vulnerabilities might have direct impact on confidentiality, integrity and availability of a system
  • information gathered can be used to craft further attacks, possibly with more severe consequences

SAP writes in the corresponding note 2622660 that a periodical update is needed based on web browser updates by the open source project Chromium.

A new vulnerability 2841053 has been identified in SAP Host Agent. An unauthenticated attacker can cause denial of service by sending malicious requests. The first solution is to lock the SAP Host Agent ports. In this note, SAP emphasizes once again that the network services of an SAP system should only be made available in trusted networks.

Summary by Severity

The February release contains a total of 15 patches for the following severities:

 

Severity Number
Hot News
1
High
3
Medium
11
Note Description Severity CVSS
2622660 Update to Security Note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
HotNews
9.8
2841053 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
Product - SAP Host Agent , Versions - 7.21 
High
7.5
2878030 [CVE-2020-6191] Missing Input Validation in SAP Landscape Management
Product - SAP Landscape Management, Version - 3.0
High
7.2
2877968 [CVE-2020-6192] Missing Input Validation in SAP Landscape Management
Product - SAP Landscape Management, Version - 3.0
High
7.2
2870067 Update 1 to Security Note 2736825 - [CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server
Product - ABAP Server (used in NetWeaver and Suite/ERP), Versions - Using Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31, Using Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform
Medium
6.5
2736825 Update to Security Note released on March 2019 Patch Day:[CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server
Product - ABAP Server (used in NetWeaver and Suite/ERP), Versions - Using Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31, Using Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform
Medium
6.5
2857511 [CVE-2020-6188] Missing Authorization check in SAP ERP and S/4 HANA (VAT Pro-Rata reports)
Product - SAP ERP, Versions - SAP_APPL 600, 602, 603, 604, 605, 606, 616, SAP_FIN 617, 618, 700, 720, 730
Product - SAP S/4 HANA, Versions - S4CORE 100, 101, 102, 103, 104
Medium
6.3 
2873012 [CVE-2020-6193] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
Product - SAP NetWeaver (Knowledge Management ICE Service), Versions - 7.30, 7.31, 7.40, 7.50
Medium
6.1
2880869 [CVE-2020-6184] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver and SAP S/4HANAAdditional CVE: CVE-2020-6185
Product - SAP NetWeaver , Version - SAP_BASIS 7.40 
Product - SAP S/4HANA, Versions - SAP_BASIS 7.50, 7.51, 7.52, 7.53, 7.54
Medium
6.1
2880744 [CVE-2020-6181] HTTP Response Splitting vulnerability in SAP NetWeaver and ABAP Platform
Product - SAP NetWeaver, Versions - SAP_BASIS 702, 730, 731, 740
Product - SAP ABAP Platform, Versions - SAP_BASIS 750, 751, 752, 753, 754
Medium
5.8
2838835 [CVE-2020-6190] Information Disclosure in SAP NetWeaver AS Java (Heap Dump Application)
Product - SAP NetWeaver AS Java (Heap Dump Application), Versions - 7.30, 7.31, 7.40, 7.50 
Medium
5.8
2836445 [CVE-2020-6183] Unprivileged Access to technical data using SAPOSCOL of SAP Host Agent
Product - SAP Host Agent , Versions - 7.21
Medium
5.3
2695210 [CVE-2020-6189]  Information Disclosure in SAP BusinessObjects BI Central Management Console
Product - SAP Business Objects Business Intelligence Platform (CMC) , Versions - 4.2
Medium
5.3
2864415 [CVE-2020-6187] Missing XML Validation vulnerability in SAP NetWeaver(Guided Procedures)
Product - SAP NetWeaver (Guided Procedures), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium
4.9
2880993 [CVE-2020-6177] Missing XML Validation vulnerability in SAP Mobile Platform
Product - SAP Mobile Platform , Versions - 3.0
Medium
4.3

Source

Additional Info

  • Language:: English

Related items

back to top