Headline
CVE-2020-6287: SAP Security Patch Day – July 2020 - Product Security Response at SAP
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 14th of July 2020, SAP Security Patch Day saw the release of 8 Security Notes. There are 2 updates to previously released Patch Day Security Note.
List of security notes released on July Patch Day:
Note#
Title
Priority
CVSS
2934135
[CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)
Additional CVE - CVE-2020-6286
Product - SAP NetWeaver AS JAVA (LM Configuration Wizard); Versions - 7.30, 7.31, 7.40, 7.50
Hot News
10
2622660
_Update to Security Note released on April 2018 Patch Day:**_
Security updates for the browser control Google Chromium delivered with SAP Business Client
**Product - SAP Business Client, Version - 6.5
Hot News
9.8
2932473
[CVE-2020-6285] **Information Disclosure in SAP NetWeaver (XMLToolkit for Java)
**Product - SAP NetWeaver (XML Toolkit for JAVA); Versions - ENGINEAPI 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
7.7
2758000
[CVE-2020-6267] **Multiple vulnerabilities in SAP Disclosure Management
**Additional CVEs - CVE-2020-6289, CVE-2020-6290, CVE-2020-6291, CVE-2020-6292
Product - SAP Disclosure Management ; Version - 10.1
Medium
6.3
2917743
[CVE-2020-6281] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(BI Launch pad)
Product - SAP Business Objects Business Intelligence Platform (BI Launchpad); Version - 4.2
Medium
6.1
2849967
[CVE-2020-6276] **Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(Bipodata)
**Product - SAP Business Objects Business Intelligence Platform (bipodata); Version - 4.2
Medium
6.1
2896025
[CVE-2020-6282] **Server-Side Request Forgery in SAP NetWeaver AS JAVA (IIOP service)
**Product - SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 Product - SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium
5.8
2912708
[CVE-2020-6278] **Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC)
**Product - SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC); Versions - 4.1, 4.2
Medium
5.4
2880804
Update to Security Note released on April 2020 Patch Day:
[CVE-2020-6222] **Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
**Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) , Versions - 4.1, 4.2
Medium
5.4
2927373
[CVE-2020-6280] **Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform
**Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 731, 740, 750
Low
2.7
________________________________________________________________________________
Vulnerability Type Distribution - July 2020
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (February 2020 – July 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after June 9, 2020, go to Launchpad Expert Search → Filter ‘SAP Security Notes’ released between ‘June 10, 2020 - July 14, 2020’ → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at [email protected] with all your comments and feedback on this blog post.
SAP Product Security Response Team