Child pages
  • SAP Security Patch Day – July 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 14th of July 2020, SAP Security Patch Day saw the release of 8 Security Notes. There are 2 updates to previously released Patch Day Security Note.

List of security notes released on July Patch Day:

Note#TitlePriorityCVSS
2934135[CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)
Additional CVE - CVE-2020-6286
Product - SAP NetWeaver AS JAVA (LM Configuration Wizard); Versions - 7.30, 7.31, 7.40, 7.50 
Hot News10
2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5

Hot News9.8
2932473[CVE-2020-6285] Information Disclosure in SAP NetWeaver (XMLToolkit for Java)
Product - SAP NetWeaver (XML Toolkit for JAVA); Versions - ENGINEAPI 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
High7.7
2758000[CVE-2020-6267] Multiple vulnerabilities in SAP Disclosure Management
Additional CVEs - CVE-2020-6289, CVE-2020-6290, CVE-2020-6291, CVE-2020-6292
Product - SAP Disclosure Management ; Version - 10.1
Medium6.3
2917743[CVE-2020-6281] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(BI Launch pad)  
Product - SAP Business Objects Business Intelligence Platform (BI Launchpad); Version - 4.2
Medium6.1
2849967[CVE-2020-6276] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(Bipodata)
Product - SAP Business Objects Business Intelligence Platform (bipodata); Version - 4.2
Medium6.1
2896025[CVE-2020-6282] Server-Side Request Forgery in SAP NetWeaver AS JAVA (IIOP service)
Product - SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Product - SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium5.8
2912708[CVE-2020-6278] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC)
Product - SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC); Versions - 4.1, 4.2 
Medium5.4
2880804Update to Security Note released on April 2020 Patch Day:
[CVE-2020-6222] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) , Versions4.1, 4.2 
Medium5.4
2927373[CVE-2020-6280] Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform
Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 731, 740, 750 
Low2.7

________________________________________________________________________________

Vulnerability Type Distribution -  July 2020

 

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (February 2020 – July 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after June 9, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'June 10, 2020 - July 14, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels