Security News > 2020 > August > SAP Releases August 2020 Security Updates

SAP Releases August 2020 Security Updates
2020-08-12 10:35

SAP this week announced the release of 15 new Security Notes as part of the August 2020 SAP Security Patch Day, including some that address serious vulnerabilities in NetWeaver.

A default component of all SAP Enterprise Portal installations, Knowledge Management allows users to manage data sources in multiple formats, to create and modify content and folders, as well as upload files.

Another Hot News Security Note released on this Security Patch Day is an update for a July 2020 Security Note that addresses a critical bug in NetWeaver AS JAVA that is tracked as CVE-2020-6287 and which is also referred to as RECON. On the August 2020 Security Patch Day, SAP also released three High Priority Security Notes addressing vulnerabilities in NetWeaver: CVE-2020-6296 - code injection in NetWeaver and ABAP Platform; CVE-2020-6309 - missing authentication in NetWeaver AS JAVA; and CVE-2020-6293 - unrestricted file upload in NetWeaver.

According to Onapsis, if a patch for the Hot News flaw in Knowledge Management is not applied, CVE-2020-6293 - which allows an attacker to create, modify, or delete files in the Knowledge Management component - can be exploited without authentication, which essentially increases its CVSS score to 9.6, making it a critical flaw.

SAP also released two High Priority Security Notes to patch missing authentication checks, one in the BusinessObjects Business Intelligence Platform - CVE-2020-6294 - and another in Banking Services - CVE-2020-6298 - and another to resolve an information disclosure flaw in Adaptive Server Enterprise - CVE-2020-6295.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/y7fTxBkvFaI/sap-releases-august-2020-security-updates

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-08-12 CVE-2020-6293 Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Knowledge Management
SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions, leading to Unrestricted File Upload.
network
low complexity
sap CWE-434
6.5
2020-08-12 CVE-2020-6294 Missing Authentication for Critical Function vulnerability in SAP Businessobjects Business Intelligence Platform 4.2/4.3
Xvfb of SAP Business Objects Business Intelligence Platform, versions - 4.2, 4.3, platform on Unix does not perform any authentication checks for functionalities that require user identity.
network
low complexity
sap CWE-306
critical
9.1
2020-08-12 CVE-2020-6295 Incorrect Permission Assignment for Critical Resource vulnerability in SAP Adaptive Server Enterprise 16.0
Under certain conditions the SAP Adaptive Server Enterprise, version 16.0, allows an attacker to access encrypted sensitive and confidential information through publicly readable installation log files leading to a compromise of the installed Cockpit.
local
low complexity
sap CWE-732
7.8
2020-08-12 CVE-2020-6296 Unspecified vulnerability in SAP Abap Platform and Netweaver Application Server Abap
SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection.
network
low complexity
sap
8.8
2020-08-12 CVE-2020-6298 Missing Authorization vulnerability in SAP Generic Market Data 400/450/500
SAP Banking Services (Generic Market Data), versions - 400, 450, 500, allows an unauthorized user to display protected Business Partner Generic Market Data (GMD) and change related GMD key figure values, due to Missing Authorization Check.
network
low complexity
sap CWE-862
8.1
2020-08-12 CVE-2020-6309 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.
network
low complexity
sap CWE-306
7.5
2020-07-14 CVE-2020-6287 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
network
low complexity
sap CWE-306
critical
10.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
SAP 328 25 679 386 113 1203