Firma SAP publikuje aktualizacje bezpieczeństwa 03/2020

utworzone przez | mar 12, 2020 | Aktualizacje

W dniu 10 marca firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 16 nowych poprawek w tym 3 jest krytyczna i 4 ma priorytet  “wysoki”.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note# Title Priority CVSS
2890213 [CVE-2020-6207Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
Product – SAP Solution Manager (User Experience Monitoring), Version – 7.2 		 Hot News 10
2845377 [CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)
Product – SAP Solution Manager (Diagnostics Agent), Versions – 7.2		 Hot News 9.8
2622660 Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5		 Hot News 9.8
2806198 [CVE-2020-6203Path Manipulation in SAP NetWeaver UDDI Server(Services Registry)
Product – SAP NetWeaver UDDI Server (Services Registry), Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50		 Hot News 9.1
2861301 [CVE-2020-6208Remote Code Execution in SAP Business Objects Business Intelligence Platform (Crystal Reports)
Product – SAP Business Objects Business Intelligence Platform (Crystal Reports), Versions – 4.1, 4.2  
 High 8.2
2858044 [CVE-2020-6209Missing Authorization check in SAP Disclosure Management
Product – SAP Disclosure Management , Version – 10.1		 High 7.5
2826782 [CVE-2020-6196Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)
Product – SAP BusinessObjects Mobile (MobileBIService),Versions – 4.2		 High 7.5
2660005 Update to Security Note released on August 2018 Patch Day:
[CVE-2018-2450SQL Injection Vulnerability in SAP MaxDB/liveCache
Product –  SAP MaxDB (liveCache), Versions – 7.8, 7.9		 High 7.2
2876813 [CVE-2020-6201Cross-Site Scripting (XSS) vulnerability in SAP Commerce Cloud (testweb extension)
Product – SAP Commerce Cloud (Testweb Extension), Version – 6.6, 6.7, 1808, 1811, 1905 
 Medium 6.1
2884910 [CVE-2020-6205Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP Business Server Pages  (Smart Forms)
Product – SAP NetWeaver AS ABAP Business Server Pages (Smart Forms) – SAP_BASIS, Versions – 7.007.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54		 Medium 6.1
2847787 [CVE-2020-6202Missing XML Validation in SAP NetWeaver Application Server Java (User Management Engine)
Product – SAP NetWeaver Application Server Java (User Management Engine), Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 		 Medium 5.5
2876413 [CVE-2020-6200Cross-Site-Scripting in SAP Commerce Cloud (SmartEdit extension)
Product – SAP Commerce Cloud (SmartEdit Extension), Versions – 6.6, 6.7, 1808, 1811		 Medium 5.4
2871167 [CVE-2020-6199Missing Authorization check in SAP ERP and S/4 HANA (MENA Certificate Management)
Product – SAP ERP (EAPPGLO), Versions – 607		 Medium 5.4
2880664 [CVE-2020-6178Insufficient session expiration in SAP Enable Now Manager
Product – SAP Enable Now, Versions – before version 1911 		 Medium 5.4
2864462 [CVE-2020-6210Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad
Product – SAP Fiori Launchpad, Versions – 753, 754		 Medium 4.7
2859004 [CVE-2020-6206Cross-Site Request Forgery in SAP Cloud Platform Integration for data services
Product – SAP Cloud Platform Integration for Data Services, Version – 1.0		 Medium 4.7
2841874 [CVE-2020-6204Missing Authorization check in SAP Treasury and Risk Management (Transaction Management)
Product – SAP Treasury and Risk Management (Transaction Management), Versions – EA-FINSERV600, 603, 604, 605, 606, 616, 617, 618, 800, S4CORE101, 102, 103, 104 		 Medium 4.3
2845363 [CVE-2020-6197Insufficient session expiration in SAP Enable Now Manager
Product – SAP Enable Now, Versions – before version 1908		 Medium 3.8