This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 11th of August 2020, SAP Security Patch Day saw the release of 15 Security Notes. There was 1 update to previously released Patch Day Security Note
List of security notes released on August Patch Day:
| Note# | Title | Priority | CVSS |
| 2934135 | Update to Security Note released on July 2020 Patch Day: | Hot News | 10 |
| 2928635 | [CVE-2020-6284] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver (Knowledge Management) Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50 | Hot News | 9 |
| 2927956 | [CVE-2020-6294] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform Product - SAP Business Objects Business Intelligence Platform; Versions - 4.2, 4.3 | High | 8.5 |
| 2939685 | [CVE-2020-6298] Missing Authorization check in SAP Banking Services (Generic Market Data) Product - SAP Banking Services (Generic Market Data); Versions - 400, 450, 500 | High | 8.3 |
| 2941667 | [CVE-2020-6296] Code Injection Vulnerability in SAP NetWeaver (ABAP) and ABAP Platform Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755 | High | 8.3 |
| 2941315 | [CVE-2020-6309] Missing Authentication check in SAP NetWeaver AS JAVA | High | 7.5 |
| 2938162 | [CVE-2020-6293] Unrestricted File Upload in SAP NetWeaver (Knowledge Management) Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50 | High | 7.3 |
| 2941332 | [CVE-2020-6295] Information Disclosure in SAP Adaptive Server Enterprise Product - SAP Adaptive Server Enterprise; Version - 16.0 | High | 7 |
| 2940823 | [CVE-2020-6297] Information Disclosure in SAP Data Intelligence Product - SAP Data Intelligence; Version - 3 | Medium | 6.3 |
| 2941170 | Cross-Site Scripting (XSS) vulnerabilities in modified jQuery bundled with SAPUI5 | Medium | 6.1 |
| 2948317 | Vulnerabilities in open source libraries used in SAP Commerce Related CVEs - CVE-2020-9281, CVE-2019-11358 Product - SAP Commerce; Versions - 6.7, 1808, 1811, 1905, 2005 | Medium | 6.1 |
| 2949196 | [CVE-2020-6301] Missing Authorization check in SAP ERP (HCM Travel Management) Product - SAP ERP (HCM Travel Management); Versions - 600, 602, 603, 604, 605, 606, 607, 608 | Medium | 5.4 |
| 2925827 | [CVE-2020-6300] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(Central Management Console) Product - SAP Business Objects Business Intelligence Platform (Central Management Console); Versions - 4.2, 4.3 | Medium | 4.8 |
| 2885671 | [CVE-2020-6273] Missing Authorization check in SAP S/4 HANA (Fiori UI for General Ledger Accounting) Product - SAP S/4 HANA (Fiori UI for General Ledger Accounting); Versions - 103, 104 | Medium | 4.3 |
| 2941510 | [CVE-2020-6299] Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 740, 750, 751, 752, 753, 754, 755 | Medium | 4.3 |
| 2944988 | [CVE-2020-6310] Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 702, 730, 731, 740, 750 | Medium | 4.3 |
________________________________________________________________________________
Vulnerability Type Distribution - August 2020
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (March 2020 – August 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after July 14, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'July 15, 2020 - August 11, 2020' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.
SAP Product Security Response Team