Child pages
  • SAP Security Patch Day – August 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 11th of August 2020, SAP Security Patch Day saw the release of 15 Security Notes. There was 1 update to previously released Patch Day Security Note

List of security notes released on August Patch Day:

Note#TitlePriorityCVSS
2934135

Update to Security Note released on July 2020 Patch Day:
[CVE-2020-6287Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)
Additional CVE - CVE-2020-6286
Product - SAP NetWeaver AS JAVA (LM Configuration Wizard); Versions - 7.30, 7.31, 7.40, 7.50

Hot News10
2928635[CVE-2020-6284Cross-Site Scripting (XSS) vulnerability in SAP Netweaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50  
Hot News9
2927956[CVE-2020-6294Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
Product - SAP Business Objects Business Intelligence Platform; Versions - 4.2, 4.3
High8.5
2939685[CVE-2020-6298Missing Authorization check in SAP Banking Services (Generic Market Data)
Product - SAP Banking Services (Generic Market Data); Versions - 400, 450, 500 
High8.3
2941667[CVE-2020-6296Code Injection Vulnerability in SAP NetWeaver (ABAP) and ABAP Platform
Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755 
High8.3
2941315

[CVE-2020-6309Missing Authentication check in SAP NetWeaver AS JAVA
Product - SAP NetWeaver AS JAVA (ENGINEAPI versions - 7.10, 7.10; WSRM versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 and J2EE-FRMW versions - 7.10, 7.11)

High7.5
2938162[CVE-2020-6293Unrestricted File Upload in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50
High7.3
2941332[CVE-2020-6295Information Disclosure in SAP Adaptive Server Enterprise
Product - SAP Adaptive Server Enterprise; Version - 16.0
High7
2940823[CVE-2020-6297Information Disclosure in SAP Data Intelligence
Product - SAP Data Intelligence; Version - 3
Medium6.3
2941170

Cross-Site Scripting (XSS) vulnerabilities in modified jQuery bundled with SAPUI5
Related CVEs - CVE-2020-11022CVE-2020-11023
Product
 - SAPUI5 (UISAPUI5_JAVA); Version - 7.50
Product - SAPUI5 (SAP_UI); Versions - 750, 751, 752, 753, 754, 755
Product - SAPUI5 (UI_700); Version - 200

Medium6.1
2948317Vulnerabilities in open source libraries used in SAP Commerce
Related CVEs - CVE-2020-9281CVE-2019-11358
Product - SAP Commerce; Versions - 6.7, 1808, 1811, 1905, 2005
Medium6.1
2949196[CVE-2020-6301Missing Authorization check in SAP ERP (HCM Travel Management)
Product - SAP ERP (HCM Travel Management); Versions - 600, 602, 603, 604, 605, 606607, 608 
Medium5.4
2925827[CVE-2020-6300Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(Central Management Console)
Product - SAP Business Objects Business Intelligence Platform (Central Management Console); Versions - 4.2, 4.3
Medium4.8
2885671[CVE-2020-6273Missing Authorization check in SAP S/4 HANA (Fiori UI for General Ledger Accounting)
Product - SAP S/4 HANA (Fiori UI for General Ledger Accounting); Versions - 103, 104
Medium4.3
2941510[CVE-2020-6299Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform
Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 740, 750, 751, 752, 753, 754, 755 
Medium4.3
2944988[CVE-2020-6310Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform
Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 702, 730, 731, 740, 750 
Medium4.3

________________________________________________________________________________

Vulnerability Type Distribution -  August 2020


#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (March 2020 – August 2020)**


* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after July 14, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'July 15, 2020 - August 11, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team


  • No labels