W dniu 13 października firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 15 nowych poprawek w tym 2 są krytyczne.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
Note# | Title | Priority | CVSS |
2969828 | [CVE-2020-6364] OS Command Injection Vulnerability in CA Introscope Enterprise Manager (Affected Products: SAP Solution Manager and SAP Focused Run) Product – SAP Solution Manager (CA Introscope Enterprise Manager) and SAP Focused Run (CA Introscope Enterprise Manager), Versions – WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7 |
Hot News | 10 |
2622660 | Update to security note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product – SAP Business Client, Version – 6.5 |
Hot News | 9.8 |
2941667 | Update to security note released on August 2020 Patch Day: [CVE-2020-6296] Code Injection Vulnerability in SAP NetWeaver (ABAP) and ABAP Platform Product – SAP NetWeaver (ABAP Server) and ABAP Platform; Versions – 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755 |
High | 8.3 |
2972661 | [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework Product– SAP NetWeaver Composite Application Framework, Versions – 7.20, 7.30, 7.31, 7.40, 7.50 |
High | 8.2 |
2969457 | [CVE-2020-6366] Missing XML Validation in SAP NetWeaver (Compare Systems) Product – SAP NetWeaver (Compare Systems), Versions – 7.20, 7.30, 7.31, 7.40, 7.50 |
High | 7.6 |
2971638 | [CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run) Product – CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run), Versions – 9.7, 10.1, 10.5, 10.7 |
High | 7.5 |
2941315 | Update to security note released on August 2020 Patch Day: [CVE-2020-6309] Missing Authentication check in SAP NetWeaver AS JAVA Product – SAP NetWeaver AS JAVA (ENGINEAPI versions – 7.10, 7.10; WSRM versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 and J2EE-FRMW versions – 7.10, 7.11) |
High | 7.5 |
2898077 | Update to security note released on April 2020 Patch Day: [CVE-2020-6237] Information Disclosure in SAP Business Objects Business Intelligence Platform (dswsbobje Web Application) Product – SAP Business Objects Business Intelligence Platform, Versions – 4.1, 4.2 |
High | 7.5 |
2902456 | Update to security note released on April 2020 Patch Day: [CVE-2020-6236] Privilege Escalation in SAP Landscape Management (SAP Adaptive Extensions) Product – SAP Landscape Management, Version – 3.0 Product–SAP Adaptive Extensions, Version – 1.0 |
High | 7.2 |
2956398 | [CVE-2020-6319] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java Product – SAP NetWeaver Application Server Java, Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 6.1 |
2973497 | [CVE-2020-6315] Multiple Vulnerabilities in SAP 3D Visual Enterprise Viewer Additional CVEs – CVE-2020-6372, CVE-2020-6373, CVE-2020-6374, CVE-2020-6375, CVE-2020-6376 Product – SAP 3D Visual Enterprise Viewer, Version – 9 |
Medium | 5.7 |
2917381 | [CVE-2020-6272] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Cloud Product – SAP Commerce Cloud, Versions – 1808, 1811, 1905, 2005 |
Medium | 5.4 |
2960825 | [CVE-2020-6368] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation Product – SAP Business Planning and Consolidation, Versions – 750, 751, 752, 753, 754, 755, 810, 100, 200 |
Medium | 5.4 |
2949196 | Update to security note released on August 2020 Patch Day: [CVE-2020-6301] Missing Authorization check in SAP ERP (HCM Travel Management) Product – SAP ERP (HCM Travel Management); Versions – 600, 602, 603, 604, 605, 606, 607, 608 |
Medium | 5.4 |
2943844 | [CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services) Product – SAP Commerce Cloud, Versions – 1808, 1811, 1905, 2005 |
Medium | 5.3 |
2939419 | [CVE-2020-6370] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (DI Design Time Repository) Product – SAP NetWeaver (DI Design Time Repository), Versions – 7.11, 7.30, 7.31, 7.40, 7.50 |
Medium | 4.8 |
2965315 | [CVE-2020-6365] Reverse Tabnabbing vulnerability in SAP NetWeaver AS Java Start Page Product – SAP NetWeaver Application Server Java, Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 4.7 |
2960329 | [CVE-2020-6323] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (Fiori Framework Page) Product – SAP NetWeaver Enterprise Portal (Fiori Framework Page), Versions – 7.50, 7.31, 7.40 |
Medium | 4.4 |
2963137 | [CVE-2020-6371] Information disclosure in SAP NetWeaver AS ABAP via the POWL Test Feeder endpoint Product – SAP NetWeaver Application Server ABAP (POWL test application), Versions – 710, 711, 730, 731, 740, 750 |
Medium | 4.3 |
2953212 | [CVE-2020-6362] Incorrect Authorization in SAP Banking Services Product – SAP Banking Services, Version – 500 |
Medium | 4.3 |
2965287 | [CVE-2020-6363] Insufficient Session Expiration in SAP Commerce Cloud Product – SAP Commerce Cloud, Versions – 1808, 1811, 1905, 2005 |
Low | 3.7 |