This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 11th of February 2020, SAP Security Patch Day saw the release of 13 Security Notes. There are 2 updates to previously released Patch Day Security Notes.
We are pleased to inform that SAP Product Security Response Team now has a vulnerability submission form that security researchers can use to submit their findings to SAP. More information about how to report security issues to SAP can be found here.
List of security notes released on February Patch Day:
Update to Security Note released on April 2018 Patch Day:
[CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
[CVE-2020-6191] Missing Input Validation in SAP Landscape Management
|2877968||[CVE-2020-6192] Missing Input Validation in SAP Landscape Management|
Product - SAP Landscape Management, Version - 3.0
|2870067||Update 1 to Security Note 2736825 - [CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server |
Product - ABAP Server (used in NetWeaver and Suite/ERP), Versions - Using Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31, Using Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform
Update to Security Note released on March 2019 Patch Day:
[CVE-2020-6188] Missing Authorization check in SAP ERP and S/4 HANA (VAT Pro-Rata reports)
Product - SAP S/4 HANA, Versions - S4CORE 100, 101, 102, 103, 104
[CVE-2020-6193] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service)
[CVE-2020-6184] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver and SAP S/4HANA
[CVE-2020-6181] HTTP Response Splitting vulnerability in SAP NetWeaver and ABAP Platform
[CVE-2020-6190] Information Disclosure in SAP NetWeaver AS Java (Heap Dump Application)
[CVE-2020-6183] Unprivileged Access to technical data using SAPOSCOL of SAP Host Agent
[CVE-2020-6189] Information Disclosure in SAP BusinessObjects BI Central Management Console
[CVE-2020-6187] Missing XML Validation vulnerability in SAP NetWeaver(Guided Procedures)
[CVE-2020-6177] Missing XML Validation vulnerability in SAP Mobile Platform
Security Notes vs Vulnerability Types# - February 2020
#One security note can fix multiple vulnerabilities on same product
Security Notes vs Priority Distribution (September 2019 – February 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after January 14, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'January 15, 2020 - February 11, 2020' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.