W dniu 11 sierpnia firma SAP wydała aktualizacje bezpieczeństwa, która obejmują 16 nowych poprawek w tym 2 są krytyczne.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note# Title Priority CVSS
2934135 Update to Security Note released on July 2020 Patch Day:
[CVE-2020-6287Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)
Additional CVE – CVE-2020-6286
Product – SAP NetWeaver AS JAVA (LM Configuration Wizard); Versions – 7.30, 7.31, 7.40, 7.50
Hot News 10
2928635 [CVE-2020-6284Cross-Site Scripting (XSS) vulnerability in SAP Netweaver (Knowledge Management)
Product – SAP NetWeaver (Knowledge Management); Versions – 7.30, 7.31, 7.40, 7.50  
Hot News 9
2927956 [CVE-2020-6294Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
Product – SAP Business Objects Business Intelligence Platform; Versions – 4.2, 4.3
High 8.5
2939685 [CVE-2020-6298Missing Authorization check in SAP Banking Services (Generic Market Data)
Product – SAP Banking Services (Generic Market Data); Versions – 400, 450, 500 
High 8.3
2941667 [CVE-2020-6296Code Injection Vulnerability in SAP NetWeaver (ABAP) and ABAP Platform
Product – SAP NetWeaver (ABAP Server) and ABAP Platform; Versions – 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755 
High 8.3
2941315 [CVE-2020-6309Missing Authentication check in SAP NetWeaver AS JAVA
Product – SAP NetWeaver AS JAVA (ENGINEAPI); Versions – 7.10, 7.10
Product – SAP NetWeaver AS JAVA (WSRM); Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Product – SAP NetWeaver AS JAVA (SERVERCORE); Versions – 7.10, 7.10, 7.11 
Product – SAP NetWeaver AS JAVA (J2EE-FRMW); Versions – J2EE-FRMW 7.10, 7.11 
High 7.5
2938162 [CVE-2020-6293Unrestricted File Upload in SAP NetWeaver (Knowledge Management)
Product – SAP NetWeaver (Knowledge Management); Versions – 7.30, 7.31, 7.40, 7.50
High 7.3
2941332 [CVE-2020-6295Information Disclosure in SAP Adaptive Server Enterprise
Product – SAP Adaptive Server Enterprise; Version – 16.0
High 7
2948317 Cross-Site Scripting (XSS) vulnerabilities in SAP Commerce
Related CVEs – CVE-2020-9281CVE-2019-11358
Product – SAP Commerce; Versions – 6.7, 1808, 1811, 1905, 2005
Medium 6.4
2940823 [CVE-2020-6297Information Disclosure in SAP Data Intelligence
Product – SAP Data Intelligence; Version – 3
Medium 6.3
2941170 Cross-Site Scripting (XSS) vulnerabilities in modified jQuery bundled with SAPUI5
Related CVEs – CVE-2020-11022CVE-2020-11023
Product
 – SAPUI5 (UISAPUI5_JAVA); Version – 7.50
Product – SAPUI5 (SAP_UI); Versions – 750, 751, 752, 753, 754, 755
Product – SAPUI5 (UI_700); Version – 200
Medium 6.1
2949196 [CVE-2020-6301Missing Authorization check in SAP ERP (HCM Travel Management)
Product – SAP ERP (HCM Travel Management); Versions – 600, 602, 603, 604, 605, 606607, 608 
Medium 5.4
2925827 [CVE-2020-6300Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform(Central Management Console)
Product – SAP Business Objects Business Intelligence Platform (Central Management Console); Versions – 4.2, 4.3
Medium 4.8
2885671 [CVE-2020-6273Missing Authorization check in SAP S/4 HANA (Fiori UI for General Ledger Accounting)
Product – SAP S/4 HANA (Fiori UI for General Ledger Accounting); Versions – 103, 104
Medium 4.3
2941510 [CVE-2020-6299Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform
Product – SAP NetWeaver (ABAP Server) and ABAP Platform; Versions – 740, 750, 751, 752, 753, 754, 755 
Medium 4.3
2944988 [CVE-2020-6310Information Disclosure in SAP NetWeaver (ABAP Server) and ABAP Platform
Product – SAP NetWeaver (ABAP Server) and ABAP Platform; Versions – 702, 730, 731, 740, 750 
Medium 4.3