Product Security Response at SAP
Child pages
  • SAP Security Patch Day – April 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 14th of April 2020, SAP Security Patch Day saw the release of 23 Security Notes. There are 3 updates to previously released Patch Day Security Notes.

List of security notes released on April Patch Day:

Note#TitlePriorityCVSS
2904480

[CVE-2020-6238Missing XML Validation vulnerability in SAP Commerce
Product - SAP Commerce, Version - 6.6, 6.7, 1808, 1811, 1905 

Hot News9.3
2839864

Update to Security Note released on November 2019 Patch Day:
Update 2 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
Product - SAP Diagnostic Agent (LM-Service), Versions - 7.20

Hot News9.1
2896682

[CVE-2020-6225] Directory Traversal vulnerability in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management), Version - KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50; KMC-WPC – 7.30, 7.31, 7.40, 7.50 

Hot News9.1
2863731[CVE-2020-6219Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer)
Product - SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), Versions - 4.1, 4.2 		Hot News9.1
2900118[CVE-2020-6230Code Injection vulnerability in SAP OrientDB 3.0
Product - SAP OrientDB, Version - 3.0
Hot News9.1
2906994

[CVE-2020-6235Missing authentication check in SAP Solution Manager (Diagnostics Agent)
Product - SAP Solution Manager (Diagnostics Agent), Version - 7.2 

High8.6
2861301

Update to Security Note released on March 2020 Patch Day:
[CVE-2020-6208Remote Code Execution in SAP Business Objects Business Intelligence Platform (Crystal Reports)
Product - SAP Business Objects Business Intelligence Platform (Crystal Reports), Versions - 4.1, 4.2, 4.3

High8.1 
2898077

[CVE-2020-6237Information Disclosure in SAP Business Objects Business Intelligence Platform (dswsbobje Web Application)
Product - SAP Business Objects Business Intelligence Platform, Versions - 4.1, 4.2 

High7.5
2902645

[CVE-2020-6234Privilege Escalation in SAP Host Agent
Product - SAP Host Agent, Version - 7.21 

High7.2
2902456

[CVE-2020-6236Privilege Escalation in SAP Landscape Management 3.0/SAP Adaptive Extensions
Product - SAP Landscape Management, Version - 3.0
Product - SAP Adaptive Extensions, Version - 1.0

High7.2
2878507

[CVE-2020-6195Multiple vulnerabilities in SAP Business Objects Business Intelligence Platform
Additional CVEs: CVE-2020-6220, CVE-2020-6218, CVE-2020-6211, CVE-2020-6223, CVE-2020-6221
Product - SAP Business Objects Business Intelligence Platform, Versions - 4.1, 4.2 

Medium6.4
2864966

[CVE-2020-6212Missing Authorization Check in SAP ERP & S/4 HANA (Egypt localized Withholding Tax reports)
Product - SAP ERP, Versions - 618, 730, EAPPLGLO 607 
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104 

Medium6.3
2826528

[CVE-2020-6224Information Disclosure in SAP NetWeaver Application Server Java (HTTP Service)
Product - SAP NetWeaver AS Java (HTTP Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

Medium6.2
2876059

[CVE-2020-6216Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BILaunchpad/ Opendocument)
Product - SAP Business Objects Business Intelligence Platform (BI Launchpad), Versions - 4.2

Medium6.1
2872782

[CVE-2020-6215Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad
Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application IT00) , Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 

Medium6.1
2872752

[CVE-2020-6213Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP(Business Server Pages Test Application SBSPEXT_PHTMLB)
Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_PHTMLB), Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 

Medium6.1
2872545

[CVE-2020-6217Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages Test Application IT05)
Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application IT05), Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 

Medium6.1
2900374

[CVE-2020-6229Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME)
Product - SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E

Medium6.1
2879132

[CVE-2020-6226Cross-Site Scripting (XSS) vulnerabilities in SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface)
Additional CVE: CVE-2020-6231
Product - SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface) , Version - 4.2

Medium5.4
2880804

[CVE-2020-6222] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) , Versions - 4.1, 4.2 

Medium5.4
2866752

[CVE-2020-6228Missing Integrity Check in SAP BUSINESS CLIENT
Product - SAP Business Client, Versions - 6.5, 7.0 

Medium5.3
2863396

[CVE-2020-6227Remote unauthenticated log injection in SAP Business Objects Business Intelligence Platform (CMS / Auditing issues)
Product - SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), Version - 4.2

Medium5.3
2888556

[CVE-2020-6232Missing Authorization check in SAP Commerce
Product - SAP Commerce, Versions - 1811, 1905 

Medium5.3
2864462

Update to Security Note released on March 2020 Patch Day:
[CVE-2020-6210Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad
Product - SAP Fiori Launchpad, Versions - 753, 754

Medium4.7
2897612

[CVE-2020-6214Incorrect Authorization in SAP S/4HANA (Financial Products Subledger)
Product - SAP S/4HANA (Financial Products Subledger), Versions - 100

Medium4.7
2904796

[CVE-2020-6233Missing Authorization Check in SAP S/4 HANA (Financial Products Subledger and Banking Services)
Product - SAP S/4 HANA (Financial Products Subledger and Banking Services), Versions - FSAPPL 400, 450, 500; S4FPSL 100 

Medium4.3

________________________________________________________________________________

Vulnerability Type Distribution -  April 2020

 

#No. of Vulnerabilities correspond to the no. of CVEs published. Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (November 2019 – April 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after March 10, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'March 11, 2020 - April 14, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels