This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 12th of May 2020, SAP Security Patch Day saw the release of 18 Security Notes. There are 4 updates to previously released Patch Day Security Notes.
List of security notes released on May Patch Day:
| Note# | Title | Priority | CVSS |
| 2835979 | [CVE-2020-6262] Code Injection vulnerability in Service Data Download | Hot News | 9.9 |
| 2622660 | Update to Security Note released on April 2018 Patch Day: | Hot News | 9.8 |
| 2885244 | [CVE-2020-6242] Missing Authentication check in SAP Business Objects Business Intelligence Platform (Live Data Connect) | Hot News | 9.8 |
| 2917275 | [CVE-2020-6248] Code injection in SAP Adaptive Server Enterprise (Backup Server) Product - SAP Adaptive Server Enterprise (Backup Server), Version - 16.0 | Hot News | 9.1 |
| 2863731 | Update to Security Note released on April 2020 Patch Day: [CVE-2020-6219] Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CR .Net SDK WebForm Viewer) Product - SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), Versions - 4.1, 4.2 | Hot News | 9.1 |
| 2917090 | [CVE-2020-6252] Information Disclosure in SAP Adaptive Server Enterprise (Cockpit) | Hot News | 9 |
| 2916927 | [CVE-2020-6241] SQL Injection vulnerability in SAP Adaptive Server Enterprise | High | 8.8 |
| 2915585 | [CVE-2020-6243] Code Injection in SAP Adaptive Server Enterprise (XP Server on Windows Platform) | High | 8 |
| 2908560 | [CVE-2020-6249] SQL Injection vulnerability in SAP Master Data Governance(MDG) | High | 7.7 |
| 2917273 | [CVE-2020-6253] SQL Injection vulnerability in SAP Adaptive Server Enterprise (Web Services) | High | 7.2 |
| 2911801 | [CVE-2020-6244] Binary planting vulnerability in SAP Business Client | Medium | 7 |
| 2917022 | [CVE-2020-6250] Information Disclosure in SAP Adaptive Server Enterprise | Medium | 6.8 |
| 2828558 | [CVE-2020-6245] Multiple Vulnerabilities in SAP Business Objects Business Intelligence Platform | Medium | 6.5 |
| 2920548 | [CVE-2020-6259] Missing authorization check in SAP Adaptive Server Enterprise | Medium | 6.5 |
| 2913293 | [CVE-2020-6254] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection | Medium | 6.1 |
| 2912747 | [CVE-2020-6256] Missing Authorization check in SAP Master Data Governance | Medium | 5.4 |
| 2907781 | [CVE-2020-6257] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (CMC and BI launchpad) | Medium | 5.4 |
| 2732527 | Update to Security Note released on March 2019 Patch Day: | Medium | 5.3 |
| 2856923 | [CVE-2020-6240] Denial of service (DOS) in SAP NetWeaver Application Server ABAP (Web Dynpro ABAP) | Medium | 5.3 |
| 2735924 | Update to Security Note released on September 2019 Patch Day: | Medium | 4.3 |
| 2915429 | Update 1 to Security Note 2735924 - [CVE-2019-0352] Improper session management in SAP Business Objects Business Intelligence Platform(CMC) | Medium | 4.3 |
| 2915429 | [CVE-2020-6258] Missing Authorization check in SAP Identity Management | Medium | 4.3 |
________________________________________________________________________________
Vulnerability Type Distribution - May 2020
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (December 2019 – May 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after March 10, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'April 15, 2020 - May 12, 2020' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.