SAP Security Notes Review: October 2020
13th October 2020
SAP’s security patch day for October 2020 has seen the release of 15 OSS SAP security notes and 6 updates to existing notes. 1 OSS notes has been classified as low, 11 OSS notes have been classified as medium, 7 OSS notes has been classified as high and 2 as critical, based on CVSS v3.0 Rating.
3 OSS notes have been found this month for SAP NetWeaver AS ABAP, SAP NetWeaver AS JAVA and SAP Commerce. Single notes have been released for SAP Composite Application Framework, SAP Compare Systems, CA Introscope Enterprise Manager, SAP Business Objects, SAP Landscape Management, SAP Banking Services, SAP 3D Visual Enterprise Viewer, SAP ERP, SAP Design Time Repository, SAP Enterprise Portal and SAP Business Planning.
Vulnerabilities: October 2020 Highlights
[CVE-2020-6364] OS Command Injection Vulnerability in CA Introscope Enterprise Manager (Affected Products: SAP Solution Manager and SAP Focused Run) (SAP Note 2969828)
A Remote OS command injection vulnerability exists in CA Introscope Enterprise Manager. An attacker can exploit the landscapes of SAP Solution Manager and SAP Focused Run to potentially gain control over the host running the CA Introscope Enterprise Manager. This may impact the integrity, confidentiality, and availability of the service.
[CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework (SAP Note 2972661)
There is a Reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework. An unauthenticated attacker can trick an unsuspecting authenticated user to click on a malicious link. The end user’s browser has no way to know that the script should not be trusted, and will execute the script, resulting in sensitive information being disclosed or modified.
[CVE-2020-6366] Missing XML Validation in SAP NetWeaver (Compare Systems) (SAP Note 2969457)
SAP NetWeaver (Compare Systems) does not sufficiently validate uploaded XML documents. An attacker with administrative privileges can retrieve arbitrary files including files on OS level from the server and/or can execute a denial-of-service.
[CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run) (SAP Note 2971638)
Some older versions of CA Introscope Enterprise Manager allow unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.