Child pages
  • SAP Security Patch Day – March 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 10th of March 2020, SAP Security Patch Day saw the release of 16 Security Notes. There are 2 updates to previously released Patch Day Security Notes.

List of security notes released on March Patch Day:

Note#TitlePriorityCVSS
2890213

[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 

Hot News10
2845377

[CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)
Product - SAP Solution Manager (Diagnostics Agent), Versions - 7.2

Hot News9.8
2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5

Hot News9.8
2806198[CVE-2020-6203Path Manipulation in SAP NetWeaver UDDI Server(Services Registry)
Product - SAP NetWeaver UDDI Server (Services Registry), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News9.1
2861301[CVE-2020-6208] Remote Code Execution in SAP Business Objects Business Intelligence Platform (Crystal Reports)
Product
 - SAP Business Objects Business Intelligence Platform (Crystal Reports), Versions - 4.1, 4.2  
High8.2
2858044

[CVE-2020-6209Missing Authorization check in SAP Disclosure Management
Product - SAP Disclosure Management , Version - 10.1

Information for CVE: An attacker need to know the application specific services and functionality of default password

High7.5
2826782

[CVE-2020-6196Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)
Product - SAP BusinessObjects Mobile (MobileBIService),Versions - 4.2

High7.5 
2660005

Update to Security Note released on August 2018 Patch Day:
[CVE-2018-2450SQL Injection Vulnerability in SAP MaxDB/liveCache
Product -  SAP MaxDB (liveCache), Versions - 7.8, 7.9

High7.2
2876813

[CVE-2020-6201Cross-Site Scripting (XSS) vulnerability in SAP Commerce Cloud (testweb extension)
Product - SAP Commerce Cloud (Testweb Extension), Version - 6.6, 6.7, 1808, 1811, 1905 

Medium6.1
2884910

[CVE-2020-6205Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages  (Smart Forms)
Product - SAP NetWeaver AS ABAP Business Server Pages (Smart Forms) - SAP_BASIS, Versions - 7.007.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54

Medium6.1
2847787

[CVE-2020-6202Missing XML Validation in SAP NetWeaver Application Server Java (User Management Engine)
Product - SAP NetWeaver Application Server Java (User Management Engine), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 

Medium5.5
2876413

[CVE-2020-6200Cross-Site-Scripting in SAP Commerce Cloud (SmartEdit extension)
Product - SAP Commerce Cloud (SmartEdit Extension), Versions - 6.6, 6.7, 1808, 1811

Medium5.4
2871167

[CVE-2020-6199Missing Authorization check in SAP ERP and S/4 HANA (MENA Certificate Management)
Product - SAP ERP (EAPPGLO), Versions - 607

Medium5.4
2880664

[CVE-2020-6178Insufficient session expiration in SAP Enable Now Manager
Product - SAP Enable Now, Versions - before version 1911 

Medium5.4
2864462

[CVE-2020-6210Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad
Product - SAP Fiori Launchpad, Versions - 753, 754

Medium4.7
2859004

[CVE-2020-6206Cross-Site Request Forgery in SAP Cloud Platform Integration for data services
Product - SAP Cloud Platform Integration for Data Services, Version - 1.0

Medium4.7
2841874

[CVE-2020-6204Missing Authorization check in SAP Treasury and Risk Management (Transaction Management)
Product - SAP Treasury and Risk Management (Transaction Management), Versions - EA-FINSERV600, 603, 604, 605, 606, 616, 617, 618, 800, S4CORE101, 102, 103, 104 

Medium4.3
2845363

[CVE-2020-6197Insufficient session expiration in SAP Enable Now Manager
Product - SAP Enable Now, Versions - before version 1908

Medium3.8

________________________________________________________________________________

Security Notes vs Vulnerability Types# -  March 2020

 

#One security note can fix multiple vulnerabilities on same product


Security Notes vs Priority Distribution (October 2019 – March 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after February 11, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'February 12, 2020 - March 10, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels