W dniu 11 lutego firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 13 nowych poprawek w tym 1 jest krytyczna i 3 ma priorytet “wysoki”.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
| Note# | Title | Priority | CVSS |
| 2622660 | Update to Security Note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product – SAP Business Client, Version – 6.5 |
HotNews | 9.8 |
| 2841053 | [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent Product – SAP Host Agent , Versions – 7.21 |
High | 7.5 |
| 2878030 | [CVE-2020-6191] Missing Input Validation in SAP Landscape Management Product – SAP Landscape Management, Version – 3.0 |
High | 7.2 |
| 2877968 | [CVE-2020-6192] Missing Input Validation in SAP Landscape Management Product – SAP Landscape Management, Version – 3.0 |
High | 7.2 |
| 2870067 | Update 1 to Security Note 2736825 – [CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server Product – ABAP Server (used in NetWeaver and Suite/ERP), Versions – Using Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31, Using Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform |
Medium | 6.5 |
| 2736825 | Update to Security Note released on March 2019 Patch Day: [CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server Product – ABAP Server (used in NetWeaver and Suite/ERP), Versions – Using Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31, Using Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform |
Medium | 6.5 |
| 2857511 | [CVE-2020-6188] Missing Authorization check in SAP ERP and S/4 HANA (VAT Pro-Rata reports) Product – SAP ERP, Versions – SAP_APPL 600, 602, 603, 604, 605, 606, 616, SAP_FIN 617, 618, 700, 720, 730 Product – SAP S/4 HANA, Versions – S4CORE 100, 101, 102, 103, 104 |
Medium | 6.3 |
| 2873012 | [CVE-2020-6193] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management ICE Service) Product – SAP NetWeaver (Knowledge Management ICE Service), Versions – 7.30, 7.31, 7.40, 7.50 |
Medium | 6.1 |
| 2880869 | [CVE-2020-6184] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver and SAP S/4HANA Additional CVE: CVE-2020-6185 Product – SAP NetWeaver , Version – SAP_BASIS 7.40 Product – SAP S/4HANA, Versions – SAP_BASIS 7.50, 7.51, 7.52, 7.53, 7.54 |
Medium | 6.1 |
| 2880744 | [CVE-2020-6181] HTTP Response Splitting vulnerability in SAP NetWeaver and ABAP Platform Product – SAP NetWeaver, Versions – SAP_BASIS 702, 730, 731, 740 Product – SAP ABAP Platform, Versions – SAP_BASIS 750, 751, 752, 753, 754 |
Medium | 5.8 |
| 2838835 | [CVE-2020-6190] Information Disclosure in SAP NetWeaver AS Java (Heap Dump Application) Product – SAP NetWeaver AS Java (Heap Dump Application), Versions – 7.30, 7.31, 7.40, 7.50 |
Medium | 5.8 |
| 2836445 | [CVE-2020-6183] Unprivileged Access to technical data using SAPOSCOL of SAP Host Agent Product – SAP Host Agent , Versions – 7.21 |
Medium | 5.3 |
| 2695210 | [CVE-2020-6189] Information Disclosure in SAP BusinessObjects BI Central Management Console Product – SAP Business Objects Business Intelligence Platform (CMC) , Versions – 4.2 |
Medium | 5.3 |
| 2864415 | [CVE-2020-6187] Missing XML Validation vulnerability in SAP NetWeaver(Guided Procedures) Product – SAP NetWeaver (Guided Procedures), Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 4.9 |
| 2880993 | [CVE-2020-6177] Missing XML Validation vulnerability in SAP Mobile Platform Product – SAP Mobile Platform , Versions – 3.0 |
Medium | 4.3 |
+48 22242 1996
+48 571 207 996
cert@pse.pl 
klucz publiczny