Child pages
  • SAP Security Patch Day – June 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 9th of June 2020, SAP Security Patch Day saw the release of 16 Security Notes. There is 1 update to previously released Patch Day Security Note.

List of security notes released on June Patch Day:

Note#TitlePriorityCVSS
2928570'Ghostcat' Apache Tomcat AJP Vulnerability in SAP Liquidity Management for Banking
Related CVE - CVE-2020-1938
P
roduct - SAP Liquidity Management for Banking; Version - 6.2
Hot News9.8
2918924[CVE-2020-6265] Use of Hard-coded Credentials in SAP Commerce and SAP Commerce Datahub
Product - SAP Commerce; Version - 6.7, 1808, 1811, 1905
Product - SAP Commerce (Data Hub); Versions - 6.7, 1808, 1811, 1905 
Hot News9.8
2906366[CVE-2020-6264] Information Disclosure in SAP Commerce
Product - SAP Commerce; Versions - 6.7, 1
808, 1811, 1905
High8.6
2931391[CVE-2020-6271] Missing XML Validation in SAP Solution Manager (Problem Context Manager)
Product - SAP Solution Manager (Problem Context Manager); Version - 7.2
High8.1
2912939[CVE-2020-6275] Server Side Request Forgery vulnerability in SAP NetWeaver AS ABAP
Product - SAP Netweaver AS ABAP; Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 
High7.6
2878568[CVE-2020-6263] Authentication Bypass in Standalone Clients connecting to SAP NetWeaver AS Java via P4 Protocol
Product - SAP NetWeaver AS JAVA (P4 Protocol); Versions -
SAP-JEECOR 7.00, 7.01;
SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium6.9
2916562[CVE-2020-6270] Missing Authorization check in SAP Netweaver AS ABAP (Banking Services)
Product - SAP NetWeaver AS ABAP (Banking Services); Versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E  
Medium6.5
2915126

[CVE-2020-6260] Incomplete XML Validation in SAP Solution Manager (Trace Analysis)
Additional CVE: CVE-2020-6261
Product - SAP Solution Manager (Trace Analysis); Version - 7.20

Medium6.5
2918762Multiple vulnerabilities in Adobe LiveCycle Designer 11.0
Related CVEs - CVE-2018-1000632, CVE-2019-17571
Component - Adobe LiveCycle Designer; Version - 11.0
Medium6.5
2878935[CVE-2020-6246] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP ( Business Server Pages Test Application SBSPEXT_TABLE)
Product - SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE); Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754   
Medium6.1
2911704[CVE-2020-6266] URL redirection in SAP Fiori for SAP S/4HANA
Product - SAP Fiori for SAP S/4HANA; Versions - 200, 300, 400, 500  
Medium5.4
2911687[CVE-2020-6266] URL redirection in SAP Fiori for SAP S/4HANA
Product - SAP Fiori for SAP S/4HANA; Versions - 200, 300, 400, 500  
Medium5.4
2906996[CVE-2020-6268] Missing authorization check in SAP ERP (Statutory Reporting for Insurance Companies)
Product - SAP ERP (Statutory Reporting for Insurance Companies);
Versions - EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618, 800; S4CORE 101, 102, 103, 104 
Medium5.4
2908382[CVE-2020-6239] Information Disclosure in SAP Business One (Backup Service)
Product - SAP Business One (Backup service); Versions - 9.3, 10.0  
Medium4.4
2752614Update to Security Note released on July 2019 Patch Day:
[CVE-2019-0319] Content Injection Vulnerability in SAP Gateway
Product - SAP Gateway; Versions - 7.5, 7.51, 7.52 and 7.53
Medium4.3
2911267Update 1 to Security Note 2752614 - [CVE-2019-0319] Content Injection Vulnerability in SAP Gateway
Product - SAP Gateway; Versions - 7.40, 2.00
Medium4.3
2905836[CVE-2020-6269] Information Disclosure in SAP Business Objects Business Intelligence Platform
Product - SAP Business Objects Business Intelligence Platform; Version - 4.2
Medium4.3

________________________________________________________________________________

Vulnerability Type Distribution -  June 2020

 

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (January 2020 – June 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after May 12, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'May 13, 2020 - June 09, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels