Child pages
  • SAP Security Patch Day – February 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 11th of February 2020, SAP Security Patch Day saw the release of 13 Security Notes. There are 2 updates to previously released Patch Day Security Notes.

We are pleased to inform that SAP Product Security Response Team now has a vulnerability submission form that security researchers can use to submit their findings to SAP. More information about how to report security issues to SAP can be found here.

List of security notes released on February Patch Day:

 

Note#TitlePriorityCVSS
2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5

HotNews9.8
2841053

[CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
Product - SAP Host Agent , Versions - 7.21 

High7.5
2878030

[CVE-2020-6191] Missing Input Validation in SAP Landscape Management
Product - SAP Landscape Management, Version - 3.0

High7.2
2877968[CVE-2020-6192Missing Input Validation in SAP Landscape Management
Product - SAP Landscape Management, Version - 3.0
High7.2
2870067Update 1 to Security Note 2736825 - [CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server
Product
 - ABAP Server (used in NetWeaver and Suite/ERP), Versions - Using Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31, Using Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform
Medium6.5
2736825

Update to Security Note released on March 2019 Patch Day:
[CVE-2019-0271Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server
Product - ABAP Server (used in NetWeaver and Suite/ERP), Versions - Using Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31, Using Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform

Medium6.5
2857511

[CVE-2020-6188Missing Authorization check in SAP ERP and S/4 HANA (VAT Pro-Rata reports)
Product - SAP ERP, Versions - SAP_APPL 600, 602, 603, 604, 605, 606, 616, SAP_FIN 617, 618, 700, 720, 730

Product - SAP S/4 HANA, Versions - S4CORE 100, 101, 102, 103, 104

Medium6.3 
2873012

[CVE-2020-6193Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
Product - SAP NetWeaver (Knowledge Management ICE Service), Versions - 7.30, 7.31, 7.40, 7.50

Medium6.1
2880869

[CVE-2020-6184Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver and SAP S/4HANA
Additional CVE: CVE-2020-6185
Product - SAP NetWeaver , Version - SAP_BASIS 7.40 
Product - SAP S/4HANA, Versions - SAP_BASIS 7.50, 7.51, 7.52, 7.53, 7.54

Medium6.1
2880744

[CVE-2020-6181HTTP Response Splitting vulnerability in SAP NetWeaver and ABAP Platform
Product - SAP NetWeaver, Versions - SAP_BASIS 702, 730, 731, 740
Product - SAP ABAP Platform, Versions - SAP_BASIS 750, 751, 752, 753, 754

Medium5.8
2838835

[CVE-2020-6190Information Disclosure in SAP NetWeaver AS Java (Heap Dump Application)
Product - SAP NetWeaver AS Java (Heap Dump Application), Versions - 7.30, 7.31, 7.40, 7.50 

Medium5.8
2836445

[CVE-2020-6183Unprivileged Access to technical data using SAPOSCOL of SAP Host Agent
Product - SAP Host Agent , Versions - 7.21

Medium5.3
2695210

[CVE-2020-6189]  Information Disclosure in SAP BusinessObjects BI Central Management Console
Product - SAP Business Objects Business Intelligence Platform (CMC) , Versions - 4.2

Medium5.3
2864415

[CVE-2020-6187Missing XML Validation vulnerability in SAP NetWeaver(Guided Procedures)
Product - SAP NetWeaver (Guided Procedures), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

Medium4.9
2880993

[CVE-2020-6177Missing XML Validation vulnerability in SAP Mobile Platform
Product - SAP Mobile Platform , Versions - 3.0

Medium4.3

________________________________________________________________________________

Security Notes vs Vulnerability Types# -  February 2020

 

#One security note can fix multiple vulnerabilities on same product


Security Notes vs Priority Distribution (September 2019 – February 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after January 14, 2019, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'January 15, 2019 - February 11, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels