Product Security Response at SAP
Child pages
  • SAP Security Patch Day – January 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 14th of January 2020, SAP Security Patch Day saw the release of 6 Security Notes. There are 1 updates to previously released Patch Day Security Notes.

List of security notes released on January Patch Day:

 

Note#TitlePriorityCVSS
2863743

[CVE-2020-6305] Cross-Site Scripting (XSS) vulnerability in Rest Adapter of SAP Process Integration
Product - SAP Process Integration Rest Adapter (SAP_XIAF), Version - 7.31, 7.40, 7.50 

Medium6.1
2848498

[CVE-2020-6304] Denial of service (DOS) in SAP NetWeaver Internet Communication Manager
Product - SAP NetWeaver Internet Communication Manager, Versions -
KRNL32NUC & KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT 
KRNL64NUC & KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49  
KERNEL 7.21, 7.22, 7.49, 7.53 

Medium5.9
2845401

Missing Authorization check in Realtech RTCISM 100
Product - RTCISM, Version - 100

Medium5.4
2772325[CVE-2020-6303Improper input validation in SAP Disclosure Management
Product - SAP Disclosure Management, Version - 10.1		Medium5.4
2863397[CVE-2020-6307] Missing Authorization Check in Automated Note Search Tool (SAP_BASIS)
Product - Automated Note Search Tool (SAP Basis), Versions - 7.0, 7.01,7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54 		Medium4.3
2843016

[CVE-2019-0388Content spoofing vulnerability in UI5 HTTP Handler
Product - SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54
Product - SAP UI 700, Versions - 2.0

Medium4.3
2865348

[CVE-2020-6306Missing Authorization check in SAP Leasing
Product - SAP Leasing, Versions - (SAP_Appl) 6.18, (EA_Appl6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16 and 6.17 

Low2.7 

________________________________________________________________________________

Security Notes vs Vulnerability Types# -  January 2020

 

#One security note can fix multiple vulnerabilities on same product


Security Notes vs Priority Distribution (August 2019 – January 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after December 10, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'December 11, 2019 - January 14, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels