W dniu 14 kwietnia firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 23 nowych poprawek w tym 5 jest krytyczna i 5 ma priorytet “wysoki”.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
| Note# | Title | Priority | CVSS |
| 2904480 | [CVE-2020-6238] Missing XML Validation vulnerability in SAP Commerce Product – SAP Commerce, Version – 6.6, 6.7, 1808, 1811, 1905 |
Hot News | 9.3 |
| 2839864 | Update to Security Note released on November 2019 Patch Day: Update 2 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent Product – SAP Diagnostic Agent (LM-Service), Versions – 7.20 |
Hot News | 9.1 |
| 2896682 | [CVE-2020-6225] Directory Traversal vulnerability in SAP NetWeaver (Knowledge Management) Product – SAP NetWeaver (Knowledge Management), Version – KMC-CM – 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50; KMC-WPC – 7.30, 7.31, 7.40, 7.50 |
Hot News | 9.1 |
| 2863731 | [CVE-2020-6219] Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer) Product – SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), Versions – 4.1, 4.2 |
Hot News | 9.1 |
| 2900118 | [CVE-2020-6230] Code Injection vulnerability in SAP OrientDB 3.0 Product – SAP OrientDB, Version – 3.0 |
Hot News | 9.1 |
| 2906994 | [CVE-2020-6235] Missing authentication check in SAP Solution Manager (Diagnostics Agent) Product – SAP Solution Manager (Diagnostics Agent), Version – 7.2 |
High | 8.6 |
| 2861301 | Update to Security Note released on March 2020 Patch Day: [CVE-2020-6208] Remote Code Execution in SAP Business Objects Business Intelligence Platform (Crystal Reports) Product – SAP Business Objects Business Intelligence Platform (Crystal Reports), Versions – 4.1, 4.2, 4.3 |
High | 8.1 |
| 2898077 | [CVE-2020-6237] Information Disclosure in SAP Business Objects Business Intelligence Platform (dswsbobje Web Application) Product – SAP Business Objects Business Intelligence Platform, Versions – 4.1, 4.2 |
High | 7.5 |
| 2902645 | [CVE-2020-6234] Privilege Escalation in SAP Host Agent Product – SAP Host Agent, Version – 7.21 |
High | 7.2 |
| 2902456 | [CVE-2020-6236] Privilege Escalation in SAP Landscape Management 3.0/SAP Adaptive Extensions Product – SAP Landscape Management, Version – 3.0 Product – SAP Adaptive Extensions, Version – 1.0 |
High | 7.2 |
| 2878507 | [CVE-2020-6195] Multiple vulnerabilities in SAP Business Objects Business Intelligence Platform Additional CVEs: CVE-2020-6220, CVE-2020-6218, CVE-2020-6211, CVE-2020-6223, CVE-2020-6221 Product – SAP Business Objects Business Intelligence Platform, Versions – 4.1, 4.2 |
Medium | 6.4 |
| 2864966 | [CVE-2020-6212] Missing Authorization Check in SAP ERP & S/4 HANA (Egypt localized Withholding Tax reports) Product – SAP ERP, Versions – 618, 730, EAPPLGLO 607 Product – SAP S/4 HANA, Versions – 100, 101, 102, 103, 104 |
Medium | 6.3 |
| 2826528 | [CVE-2020-6224] Information Disclosure in SAP NetWeaver Application Server Java (HTTP Service) Product – SAP NetWeaver AS Java (HTTP Service), Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 6.2 |
| 2876059 | [CVE-2020-6216] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (BILaunchpad/ Opendocument) Product – SAP Business Objects Business Intelligence Platform (BI Launchpad), Versions – 4.2 |
Medium | 6.1 |
| 2872782 | [CVE-2020-6215] Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad Product – SAP NetWeaver AS ABAP (Business Server Pages Test Application IT00) , Versions – 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 |
Medium | 6.1 |
| 2872752 | [CVE-2020-6213] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP(Business Server Pages Test Application SBSPEXT_PHTMLB) Product – SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_PHTMLB), Versions – 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 |
Medium | 6.1 |
| 2872545 | [CVE-2020-6217] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages Test Application IT05) Product – SAP NetWeaver AS ABAP (Business Server Pages Test Application IT05), Versions – 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754 |
Medium | 6.1 |
| 2900374 | [CVE-2020-6229] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME) Product – SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), Versions – 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E |
Medium | 6.1 |
| 2879132 | [CVE-2020-6226] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface) Additional CVE: CVE-2020-6231 Product – SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface) , Version – 4.2 |
Medium | 5.4 |
| 2880804 | [CVE-2020-6222] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) Product – SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) , Versions – 4.1, 4.2 |
Medium | 5.4 |
| 2866752 | [CVE-2020-6228] Missing Integrity Check in SAP BUSINESS CLIENT Product – SAP Business Client, Versions – 6.5, 7.0 |
Medium | 5.3 |
| 2863396 | [CVE-2020-6227] Remote unauthenticated log injection in SAP Business Objects Business Intelligence Platform (CMS / Auditing issues) Product – SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), Version – 4.2 |
Medium | 5.3 |
| 2888556 | [CVE-2020-6232] Missing Authorization check in SAP Commerce Product – SAP Commerce, Versions – 1811, 1905 |
Medium | 5.3 |
| 2864462 | Update to Security Note released on March 2020 Patch Day: [CVE-2020-6210] Cross-Site Scripting (XSS) vulnerability in SAP Fiori Launchpad Product – SAP Fiori Launchpad, Versions – 753, 754 |
Medium | 4.7 |
| 2897612 | [CVE-2020-6214] Incorrect Authorization in SAP S/4HANA (Financial Products Subledger) Product – SAP S/4HANA (Financial Products Subledger), Versions – 100 |
Medium | 4.7 |
| 2904796 | [CVE-2020-6233] Missing Authorization Check in SAP S/4 HANA (Financial Products Subledger and Banking Services) Product – SAP S/4 HANA (Financial Products Subledger and Banking Services), Versions – FSAPPL 400, 450, 500; S4FPSL 100 |
Medium | 4.3 |
+48 22242 1996
+48 571 207 996
cert@pse.pl 
klucz publiczny