This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 10th of March 2020, SAP Security Patch Day saw the release of 16 Security Notes. There are 2 updates to previously released Patch Day Security Notes.
List of security notes released on March Patch Day:
| Note# | Title | Priority | CVSS |
| 2890213 | [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring) | Hot News | 10 |
| 2845377 | [CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent) | Hot News | 9.8 |
| 2622660 | Update to Security Note released on April 2018 Patch Day: | Hot News | 9.8 |
| 2806198 | [CVE-2020-6203] Path Manipulation in SAP NetWeaver UDDI Server(Services Registry) Product - SAP NetWeaver UDDI Server (Services Registry), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 | Hot News | 9.1 |
| 2861301 | [CVE-2020-6208] Remote Code Execution in SAP Business Objects Business Intelligence Platform (Crystal Reports) Product - SAP Business Objects Business Intelligence Platform (Crystal Reports), Versions - 4.1, 4.2 | High | 8.2 |
| 2858044 | [CVE-2020-6209] Missing Authorization check in SAP Disclosure Management Information for CVE: An attacker need to know the application specific services and functionality of default password | High | 7.5 |
| 2826782 | [CVE-2020-6196] Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService) | High | 7.5 |
| 2660005 | Update to Security Note released on August 2018 Patch Day: | High | 7.2 |
| 2876813 | [CVE-2020-6201] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Cloud (testweb extension) | Medium | 6.1 |
| 2884910 | [CVE-2020-6205] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages (Smart Forms) | Medium | 6.1 |
| 2847787 | [CVE-2020-6202] Missing XML Validation in SAP NetWeaver Application Server Java (User Management Engine) | Medium | 5.5 |
| 2876413 | [CVE-2020-6200] Cross-Site-Scripting in SAP Commerce Cloud (SmartEdit extension) | Medium | 5.4 |
| 2871167 | [CVE-2020-6199] Missing Authorization check in SAP ERP and S/4 HANA (MENA Certificate Management) | Medium | 5.4 |
| 2880664 | [CVE-2020-6178] Insufficient session expiration in SAP Enable Now Manager | Medium | 5.4 |
| 2864462 | [CVE-2020-6210] Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad | Medium | 4.7 |
| 2859004 | [CVE-2020-6206] Cross-Site Request Forgery in SAP Cloud Platform Integration for data services | Medium | 4.7 |
| 2841874 | [CVE-2020-6204] Missing Authorization check in SAP Treasury and Risk Management (Transaction Management) | Medium | 4.3 |
| 2845363 | [CVE-2020-6197] Insufficient session expiration in SAP Enable Now Manager | Medium | 3.8 |
________________________________________________________________________________
Security Notes vs Vulnerability Types# - March 2020
#One security note can fix multiple vulnerabilities on same product
Security Notes vs Priority Distribution (October 2019 – March 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after February 11, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'February 12, 2020 - March 10, 2020' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.