SAP Security Notes Review: July 2020
SAP’s security patch day for July 2020 has seen the release of 8 OSS SAP security notes and 2 updates to previously released notes. 1 OSS notes has been classified as low, 6 OSS notes have been classified as medium, 1 OSS notes has been classified as high and 2 as critical, based on CVSS v3.0 Rating.
4 OSS notes have been found this month for SAP NetWeaver plus 4 for SAP Business Objects. 1 security OSS note this month has been found for SAP Disclosure Management as well as for SAP Business Client.
Vulnerabilities: July 2020 Highlights
[CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard) (SAP Note 2934135)
Vulnerabilities have been identified in LM Configuration Wizard of SAP Netweaver AS JAVA. The LM Configuration Wizard does not perform an authentication check which allows an attacker without prior authentication, to execute configuration tasks to perform critical actions against the SAP JAVA system. There is also insufficient input path validation of a certain parameter in the web service. This allows an unauthenticated attacker to exploit a method to download zip files to a specific directory.
Security updates for the browser control Google Chromium delivered with SAP Business Client (SAP Note 2622660)
From SAP Business Client 6.5 PL5 and above you can use the browser control Chromium for displaying HTML content within SAP Business Client. As this full browser control is delivered and can be installed with SAP Business Client, security corrections for this browser control are shipped with SAP Business Client patches. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure, and the like.
[CVE-2020-6285] Information Disclosure in SAP NetWeaver (XMLToolkit for Java) (SAP Note 2932473)
Under certain conditions SAP XML Toolkit for Java allows an attacker to access arbitrary files which would otherwise be restricted.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.