Security News > 2020 > August > SAP Releases August 2020 Security Updates
SAP this week announced the release of 15 new Security Notes as part of the August 2020 SAP Security Patch Day, including some that address serious vulnerabilities in NetWeaver.
A default component of all SAP Enterprise Portal installations, Knowledge Management allows users to manage data sources in multiple formats, to create and modify content and folders, as well as upload files.
Another Hot News Security Note released on this Security Patch Day is an update for a July 2020 Security Note that addresses a critical bug in NetWeaver AS JAVA that is tracked as CVE-2020-6287 and which is also referred to as RECON. On the August 2020 Security Patch Day, SAP also released three High Priority Security Notes addressing vulnerabilities in NetWeaver: CVE-2020-6296 - code injection in NetWeaver and ABAP Platform; CVE-2020-6309 - missing authentication in NetWeaver AS JAVA; and CVE-2020-6293 - unrestricted file upload in NetWeaver.
According to Onapsis, if a patch for the Hot News flaw in Knowledge Management is not applied, CVE-2020-6293 - which allows an attacker to create, modify, or delete files in the Knowledge Management component - can be exploited without authentication, which essentially increases its CVSS score to 9.6, making it a critical flaw.
SAP also released two High Priority Security Notes to patch missing authentication checks, one in the BusinessObjects Business Intelligence Platform - CVE-2020-6294 - and another in Banking Services - CVE-2020-6298 - and another to resolve an information disclosure flaw in Adaptive Server Enterprise - CVE-2020-6295.
News URL
http://feedproxy.google.com/~r/Securityweek/~3/y7fTxBkvFaI/sap-releases-august-2020-security-updates
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-12 | CVE-2020-6293 | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Knowledge Management SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions, leading to Unrestricted File Upload. | 6.4 |
| 2020-08-12 | CVE-2020-6294 | Missing Authentication for Critical Function vulnerability in SAP Businessobjects Business Intelligence Platform 4.2/4.3 Xvfb of SAP Business Objects Business Intelligence Platform, versions - 4.2, 4.3, platform on Unix does not perform any authentication checks for functionalities that require user identity. | 9.1 |
| 2020-08-12 | CVE-2020-6295 | Information Exposure vulnerability in SAP Adaptive Server Enterprise 16.0 Under certain conditions the SAP Adaptive Server Enterprise, version 16.0, allows an attacker to access encrypted sensitive and confidential information through publicly readable installation log files leading to a compromise of the installed Cockpit. | 4.6 |
| 2020-08-12 | CVE-2020-6296 | Unspecified vulnerability in SAP Abap Platform and Netweaver Application Server Abap SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. | 8.8 |
| 2020-08-12 | CVE-2020-6298 | Missing Authorization vulnerability in SAP Generic Market Data 400/450/500 SAP Banking Services (Generic Market Data), versions - 400, 450, 500, allows an unauthorized user to display protected Business Partner Generic Market Data (GMD) and change related GMD key figure values, due to Missing Authorization Check. | 5.5 |
| 2020-08-12 | CVE-2020-6309 | Improper Authentication vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service. | 7.8 |
| 2020-07-14 | CVE-2020-6287 | Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | 10.0 |