This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 8th of September 2020, SAP Security Patch Day saw the release of 10 Security Notes. There were 6 updates to previously released Patch Day Security Notes.
List of security notes released on September Patch Day:
| Note# | Title | Priority | CVSS |
| 2890213 | Update to security note released on March 2020 Patch Day: [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 | Hot News | 10 |
| 2622660 | Update to security note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client, Version - 6.5 | Hot News | 9.8 |
| 2961991 | [CVE-2020-6320] Improper Access Control in SAP Marketing (Mobile Channel Servlet) Product - SAP Marketing (Mobile Channel Servlet), Versions - 130, 140, 150 | Hot News | 9.6 |
| 2958563 | [CVE-2020-6318] Code Injection vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform Product - SAP NetWeaver (ABAP Server) and ABAP Platform, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 | Hot News | 9.1 |
| 2941667 | Update to security note released on August 2020 Patch Day: [CVE-2020-6296] Code Injection Vulnerability in SAP NetWeaver (ABAP) and ABAP Platform Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755 | High | 8.3 |
| 2912939 | Update to security note released on June 2020 Patch Day: [CVE-2020-6275] Server Side Request Forgery vulnerability in SAP NetWeaver AS ABAP Product-SAP Netweaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 | High | 7.6 |
| 2951325 | [CVE-2020-6311] Improper Authorization Checks in Banking services from SAP Bank Analyzer and SAP S/4HANA Financial Products Product - BANKING SERVICES FROM SAP 9.0(Bank Analyzer), Version - 500 Product - S/4HANA FIN PROD SUBLDGR, Version - 100 | Medium | 6.5 |
| 2934451 | [CVE-2020-6302] Session Fixation in SAP Commerce Product - SAP Commerce, Versions - 6.7, 1808, 1811, 1905, 2005 | Medium | 6.4 |
| 2948239 | [CVE-2020-6324] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Test Application) Product - SAP NetWeaver AS ABAP (BSP Test Application), Versions - 700,701,702,730,731,740,750,751,752,753,754,755 | Medium | 6.1 |
| 2941170 | Update to security note released on August 2020 Patch Day: Cross-Site Scripting (XSS) vulnerabilities in modified jQuery bundled with SAPUI5 Related CVEs - CVE-2020-11022, CVE-2020-11023 Product - SAPUI5 (UISAPUI5_JAVA); Version - 7.50 Product - SAPUI5 (SAP_UI); Versions - 750, 751, 752, 753, 754, 755 Product - SAPUI5 (UI_700); Version - 200 | Medium | 6.1 |
| 2896025 | Update to security note released on July 2020 Patch Day: [CVE-2020-6282] Server-Side Request Forgery in SAP NetWeaver AS JAVA (IIOP service) Product - SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE); Versions -7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 Product - SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 | Medium | 5.8 |
| 2953112 | [CVE-2020-6326] Cross-Site Scripting (XSS) vulnerabilities in SAP NetWeaver AS Java Additional CVE - CVE-2020-6313 Product - SAP NetWeaver (Knowledge Management), Versions - 7.30,7.31,7.40,7.50 | Medium | 5.4 |
| 2930128 | [CVE-2020-6325] Multiple Vulnerabilities in SAP BusinessObjects Business Intelligence Platform Additional CVEs - CVE-2020-6312, CVE-2020-6288 Product - SAP Business Objects Business Intelligence Platform (BI Workspace), Versions - 4.1, 4.2 | Medium | 5.4 |
| 2865229 | [CVE-2020-6283] Cross-Site Scripting (XSS) vulnerability in SAP Fiori(Launchpad) Product - SAPFiori(Launchpad), Versions - 750, 752, 753, 754, 755 | Medium | 4.8 |
| 2960815 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer CVEs- CVE-2020-6322, CVE-2020-6327, CVE-2020-6330, CVE-2020-6333, CVE-2020-6346, CVE-2020-6350, CVE-2020-6339, CVE-2020-6356, CVE-2020-6360, CVE-2020-6361, CVE-2020-6328, CVE-2020-6341, CVE-2020-6343, CVE-2020-6351, CVE-2020-6352, CVE-2020-6358, CVE-2020-6348, CVE-2020-6349, CVE-2020-6347, CVE-2020-6337, CVE-2020-6331, CVE-2020-6332, CVE-2020-6335, CVE-2020-6314, CVE-2020-6359, CVE-2020-6344, CVE-2020-6340, CVE-2020-6336, CVE-2020-6338, CVE-2020-6334, CVE-2020-6353, CVE-2020-6329, CVE-2020-6354, CVE-2020-6345, CVE-2020-6355, CVE-2020-6342, CVE-2020-6321, CVE-2020-6357 Product - SAP 3D Visual Enterprise Viewer, Version - 9 | Medium | 4.3 |
| 2953203 | [CVE-2020-6317] Information Disclosure in SAP Adaptive Server Enterprise Product - SAP Adaptive Server Enterprise, Versions - 15.7, 16.0 | Low | 2.6 |
________________________________________________________________________________
Vulnerability Type Distribution - September 2020
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (April 2020 – September 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after August 11, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'August 12, 2020 - September 08, 2020' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.