This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 9th of June 2020, SAP Security Patch Day saw the release of 17 Security Notes. There is 1 update to previously released Patch Day Security Note.
List of security notes released on June Patch Day:
| Note# | Title | Priority | CVSS |
| 2928570 | 'Ghostcat' Apache Tomcat AJP Vulnerability in SAP Liquidity Management for Banking Related CVE - CVE-2020-1938 Product - SAP Liquidity Management for Banking; Version - 6.2 | Hot News | 9.8 |
| 2918924 | [CVE-2020-6265] Use of Hard-coded Credentials in SAP Commerce and SAP Commerce Datahub Product - SAP Commerce; Version - 6.7, 1808, 1811, 1905 Product - SAP Commerce (Data Hub); Versions - 6.7, 1808, 1811, 1905 | Hot News | 9.8 |
| 2906366 | [CVE-2020-6264] Information Disclosure in SAP Commerce Product - SAP Commerce; Versions - 6.7, 1808, 1811, 1905 | High | 8.6 |
| 2931391 | [CVE-2020-6271] Missing XML Validation in SAP Solution Manager (Problem Context Manager) Product - SAP Solution Manager (Problem Context Manager); Version - 7.2 | High | 8.1 |
| 2933282 | [CVE-2020-6279] Missing Authorization Check in SAP SuccessFactors Recruitment Management Product - SAP SuccessFactors Recruiting; Versions - 2005 | High | 8.1 |
| 2912939 | [CVE-2020-6275] Server Side Request Forgery vulnerability in SAP NetWeaver AS ABAP Product - SAP Netweaver AS ABAP; Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 | High | 7.6 |
| 2878568 | [CVE-2020-6263] Authentication Bypass in Standalone Clients connecting to SAP NetWeaver AS Java via P4 Protocol Product - SAP NetWeaver AS JAVA (P4 Protocol); Versions - SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 | Medium | 6.9 |
| 2916562 | [CVE-2020-6270] Missing Authorization check in SAP Netweaver AS ABAP (Banking Services) Product - SAP NetWeaver AS ABAP (Banking Services); Versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E | Medium | 6.5 |
| 2915126 | [CVE-2020-6260] Incomplete XML Validation in SAP Solution Manager (Trace Analysis) | Medium | 6.5 |
| 2918762 | Multiple vulnerabilities in Adobe LiveCycle Designer 11.0 Related CVEs - CVE-2018-1000632, CVE-2019-17571 Component - Adobe LiveCycle Designer; Version - 11.0 | Medium | 6.5 |
| 2878935 | [CVE-2020-6246] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP ( Business Server Pages Test Application SBSPEXT_TABLE) Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE); Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 | Medium | 6.1 |
| 2911704 | [CVE-2020-6266] URL redirection in SAP Fiori for SAP S/4HANA Product - SAP Fiori for SAP S/4HANA; Versions - 200, 300, 400, 500 | Medium | 5.4 |
| 2911687 | [CVE-2020-6266] URL redirection in SAP Fiori for SAP S/4HANA Product - SAP Fiori for SAP S/4HANA; Versions - 200, 300, 400, 500 | Medium | 5.4 |
| 2906996 | [CVE-2020-6268] Missing authorization check in SAP ERP (Statutory Reporting for Insurance Companies) Product - SAP ERP (Statutory Reporting for Insurance Companies); Versions - EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618, 800; S4CORE 101, 102, 103, 104 | Medium | 5.4 |
| 2908382 | [CVE-2020-6239] Information Disclosure in SAP Business One (Backup Service) Product - SAP Business One (Backup service); Versions - 9.3, 10.0 | Medium | 4.4 |
| 2752614 | Update to Security Note released on July 2019 Patch Day: [CVE-2019-0319] Content Injection Vulnerability in SAP Gateway Product - SAP Gateway; Versions - 7.5, 7.51, 7.52 and 7.53 | Medium | 4.3 |
| 2911267 | Update 1 to Security Note 2752614 - [CVE-2019-0319] Content Injection Vulnerability in SAP Gateway Product - SAP Gateway; Versions - 7.40, 2.00 | Medium | 4.3 |
| 2905836 | [CVE-2020-6269] Information Disclosure in SAP Business Objects Business Intelligence Platform Product - SAP Business Objects Business Intelligence Platform; Version - 4.2 | Medium | 4.3 |
________________________________________________________________________________
Vulnerability Type Distribution - June 2020
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (January 2020 – June 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after May 12, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'May 13, 2020 - June 09, 2020' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.