Critical Flaws in SAP Marketing – Mobile Channel Servlet and NetWeaver


As part of its September 2020 Security Patch Day, SAP announced this week the release of 10 new Security Notes, as well as updates to 6 previous Security Notes.

Two of the Security Notes are rated as Hot News and address critical flaws in SAP Marketing — Mobile Channel Servlet (CVE-2020-6320 – Incorrect Access Control) and NetWeaver (ABAP Server) and ABAP Platform (CVE-2020-6318 – Code Injection) with CVSS scores of 9.6 and 9.1.

Mobile Channel Servlet allows for mobile campaigns in which push notifications are sent via Google Firebase to Android and iOS devices. The critical flaw addressed this week allows access to restricted functions by an authenticated attacker.

“An exploitation of the vulnerability allows an attacker to perform contact and interaction data related tasks,” explains Onapsis, a firm specialising in securing Oracle and SAP applications.

The code injection flaw in NetWeaver would allow an attacker to take complete control of the application. Thus, the attacker could view, change, or delete data via code injected into the memory and executed by the application, or cause the application to terminate.

In addition, SAP updated two additional Hot News Security Notes, one addressing a missing Solution Manager authorization check (CVE-2020-6207, CVSS score of 10), and the other dealing with security updates for the Business Client Chromium browser (CVSS score of 9.8).

Two other Security Notes updated address high-severity vulnerabilities, namely NetWeaver (ABAP) and ABAP Platform (CVE-2020-6296) code injection and NetWeaver AS ABAP (CVE-2020-6275) server-side request forgery.

“Three of the six HotNews and High Priority notes contain only more or less negligible update information not requiring customer action (as compared to the initial / previous version of the notes). The two HotNews notes # 2961991 and # 2958563 only affect a small number of SAP customers on DB4 or Sybase (SAP Marketing, SAP NetWeaver AS ABAP). That gives sufficient time for checking the status of all relevant security patches in your SAP systems, “notes Onapsis.

In Bank Analyzer and S/4HANA Financial Products (CVE-2020-6311), Commerce (CVE-2020-6302), NetWeaver AS ABAP (CVE-2020-6324), NetWeaver AS Java (CVE-2020-6326), and Fiori (Launchpad) (CVE-2020-6283), five security notes released this week address medium-risk vulnerabilities.

The BusinessObjects Business Intelligence Platform (CVE-2020-6325, CVE-2020-6312, and CVE-2020-6288) and the 3D Visual Enterprise Viewer (38 CVEs) address multiple vulnerabilities.

SAP released updates for two medium-priority bugs this week: one addressing cross-site scripting (XSS) vulnerabilities in the modified jQuery bundled with SAPUI5 (CVE-2020-11022, CVE-2020-11023) and another patching a server-side request forgery on NetWeaver AS JAVA (CVE-2020-6282).

SAP also announced a low-priority Security Note that patches an information disclosure vulnerability in Adaptive Server Enterprise (CVE-2020-6317).

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.