SAP this week introduced the discharge of 10 new Safety Notes as a part of its September 2020 Safety Patch Day, in addition to updates for six earlier Safety Notes.
Two of the Safety Notes are rated Sizzling Information and deal with crucial flaws in SAP Advertising and marketing – Cell Channel Servlet (CVE-2020-6320 – improper entry management) and NetWeaver (ABAP Server) and ABAP Platform (CVE-2020-6318 – code injection), which characteristic CVSS scores of 9.6 and 9.1, respectively.
Cell Channel Servlet permits cellular campaigns through which push notifications are despatched to Android and iOS units through Google Firebase. The crucial flaw addressed this week permits an authenticated attacker to entry restricted capabilities.
“An exploit of the vulnerability permits an attacker to carry out duties associated to contact and interplay information,” Onapsis, a agency that focuses on securing Oracle and SAP purposes, explains.
The code injection flaw in NetWeaver would enable an attacker to take full management of the appliance. Thus, the attacker may view, change, or delete information by means of code injected in reminiscence and executed by the appliance, or may trigger the appliance to terminate.
Moreover, SAP up to date two different Sizzling Information Safety Notes, one addressing a lacking authorization verify in Resolution Supervisor (CVE-2020-6207, CVSS rating of 10), and one other that offers with safety updates for the Chromium browser in Enterprise Shopper (CVSS rating of 9.8).
Two different up to date Safety Notes cope with high-severity vulnerabilities, particularly a code injection in NetWeaver (ABAP) and ABAP Platform (CVE-2020-6296), and a server-side request forgery in NetWeaver AS ABAP (CVE-2020-6275).
“Three of the six HotNews and Excessive Precedence notes solely comprise roughly negligible replace data that doesn’t require buyer motion (in comparison with the preliminary/earlier model of the notes). The 2 HotNews notes #2961991 and #2958563 solely have an effect on a small variety of SAP prospects (SAP Advertising and marketing, SAP NetWeaver AS ABAP on DB4 or Sybase). That offers sufficient time to verify the standing of all related safety patches in your SAP methods,” Onapsis notes.
5 Safety Notes launched this week deal with medium-risk vulnerabilities in Financial institution Analyzer and S/4HANA Monetary Merchandise (CVE-2020-6311), Commerce (CVE-2020-6302), NetWeaver AS ABAP (CVE-2020-6324), NetWeaver AS Java (CVE-2020-6326), and Fiori (Launchpad) (CVE-2020-6283).
Two different medium-priority Safety Notes deal with a number of vulnerabilities in BusinessObjects Enterprise Intelligence Platform (CVE-2020-6325, CVE-2020-6312, and CVE-2020-6288) and 3D Visible Enterprise Viewer (38 CVEs).
This week, SAP launched updates for 2 medium-priority bugs: one addressing cross-site scripting (XSS) vulnerabilities within the modified jQuery bundled with SAPUI5 (CVE-2020-11022, CVE-2020-11023) and one other patching a server-side request forgery in NetWeaver AS JAVA (CVE-2020-6282).
SAP additionally introduced a low-priority Safety Notice that patches an data disclosure vulnerability in Adaptive Server Enterprise (CVE-2020-6317).
Associated: SAP Releases August 2020 Safety Updates
Associated: SAP Releases 10 Safety Notes on July 2020 Patch Day
Associated: Essential Vulnerability Patched in SAP Commerce