Child pages
  • SAP Security Patch Day – May 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 12th of May 2020, SAP Security Patch Day saw the release of 18 Security Notes. There are 4 updates to previously released Patch Day Security Notes.

List of security notes released on May Patch Day:

Note#TitlePriorityCVSS
2835979

[CVE-2020-6262Code Injection vulnerability in Service Data Download
Product - SAP Application Server ABAP, Versions -  2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740

Hot News9.9
2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5

Hot News9.8
2885244

[CVE-2020-6242Missing Authentication check in SAP Business Objects Business Intelligence Platform (Live Data Connect)
Product
 - SAP Business Objects Business Intelligence Platform (Live Data Connect), Versions - 1.0, 2.0, 2.x 

Hot News9.8
2917275[CVE-2020-6248Code injection in SAP Adaptive Server Enterprise (Backup Server)
Product - SAP Adaptive Server Enterprise (Backup Server), Version -  16.0
Hot News9.1
2863731Update to Security Note released on April 2020 Patch Day:
[CVE-2020-6219Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CR .Net SDK WebForm Viewer)
Product - SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), Versions4.1, 4.2 
Hot News9.1
2917090

[CVE-2020-6252Information Disclosure in SAP Adaptive Server Enterprise (Cockpit)
Product - SAP Adaptive Server Enterprise (Cockpit), Version - 16.0

Hot News9
2916927

[CVE-2020-6241SQL Injection vulnerability in SAP Adaptive Server Enterprise
Product - SAP Adaptive Server Enterprise, Version - 16.0

High8.8 
2915585

[CVE-2020-6243Code Injection in SAP Adaptive Server Enterprise (XP Server on Windows Platform)
Product - SAP Adaptive Server Enterprise (XP Server on Windows Platform), Versions - 15.7, 16.0 

High8
2908560

[CVE-2020-6249SQL Injection vulnerability in SAP Master Data Governance(MDG)
Product - SAP Master Data Governance, Versions - S4CORE 101; S4FND 102, 103, 104; SAP_BS_FND 748 

High7.7
2917273

[CVE-2020-6253SQL Injection vulnerability in SAP Adaptive Server Enterprise (Web Services)
Product - SAP Adaptive Server Enterprise (Web Services), Versions - 15.7, 16.0 

High7.2
2911801

[CVE-2020-6244Binary planting vulnerability in SAP Business Client
Product - SAP Business Client, Version - 7.0

Medium7
2917022

[CVE-2020-6250Information Disclosure in SAP Adaptive Server Enterprise
Product - SAP Adaptive Server Enterprise, Version - 16.0

Medium6.8
2828558

[CVE-2020-6245Multiple Vulnerabilities in SAP Business Objects Business Intelligence Platform
Additional CVEs
- CVE-2020-6247, CVE-2020-6251
Product SAP Business Objects Business Intelligence Platform, Version - 4.2

Medium6.5
2920548

[CVE-2020-6259Missing authorization check in SAP Adaptive Server Enterprise
Product - SAP Adaptive Server Enterprise, Versions - 15.7, 16.0 

Medium6.5
2913293

[CVE-2020-6254Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection
Product - SAP Enterprise Threat Detection, Versions - 1.0, 2.0

Medium6.1
2912747

[CVE-2020-6256Missing Authorization check in SAP Master Data Governance
Product - SAP Master Data Governance, Versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804 

Medium5.4
2907781

[CVE-2020-6257Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (CMC and BI launchpad)
Product - SAP Business Objects Business Intelligence Platform (CMC and BI launchpad), Version - 4.2

Medium5.4
2732527

Update to Security Note released on March 2019 Patch Day:
Potential Oracle attack on OPC UA server in SAP Plant Connectivity
Product - SAP Plant Connectivity, Versions - 15.1, 15.2, 15.3, 15.4

Medium5.3
2856923

[CVE-2020-6240Denial of service (DOS) in SAP NetWeaver Application Server ABAP (Web Dynpro ABAP)
Product - SAP NetWeaver AS ABAP (Web Dynpro ABAP), Version - SAP_UI 750, 752, 753, 754; SAP_BASIS 700, 710, 730, 731, 804 

Medium5.3
2735924

Update to Security Note released on September 2019 Patch Day:
[CVE-2019-0352] Improper session management in SAP Business Objects Business Intelligence Platform(CMC)
Product - SAP Business Objects Business Intelligence Platform, Versions - before 4.1, 4.2 and 4.3

Medium4.3
2915429

Update 1 to Security Note 2735924 - [CVE-2019-0352] Improper session management in SAP Business Objects Business Intelligence Platform(CMC)
Product - SAP Business Objects Business Intelligence Platform, Versions - before 4.1, 4.2 and 4.3

Medium4.3
2915429

[CVE-2020-6258Missing Authorization check in SAP Identity Management
Product - SAP Identity Management, Version - 8.0

Medium4.3

________________________________________________________________________________

Vulnerability Type Distribution -  May 2020

 

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (December 2019 – May 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after March 10, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'April 15, 2020 - May 12, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels