There are 15 Security Notices in the patches issued by SAP for October 2020, including one that fixes a crucial vulnerability. Updates were made to six recently published Patch Day Security Notices.
The critical error, with a CVSS score of 10, is an OS command injection deficiency that affects version 10.7.0.304 or lower of CA Introscope Enterprise Manager (impacted items like Solution Manager and Centered Run). The vulnerability is monitored as CVE-2020-6364.
An attacker capable of exploiting the vulnerability may inject OS commands and gain complete control of the host running CA Introscope Enterprise Manager. Onapsis, a company that specialises in protecting Oracle and SAP software, states that the vulnerability is remotely exploitable, without verification, which adds to its high CVSS ranking.
Onapsis says that SAP clients are advised “to patch Introscope Enterprise Manager to Enterprise Manager 10.7 ‘s highest patch level.”
For Enterprise Manager 10.5.2.113, SAP has released a patch and all previous releases need to be updated to this version to apply the fix. With the update commitment equivalent to updating to version 10.7, however, and with 10.5 approaching the end of support in December 2020, the safest alternative is to go straight to 10.7.
CVE-2020-6369 (CVSS score of 7.5) is the second vulnerability discussed in this month’s CA Introscope Enterprise Manager. Remote attackers can manipulate hardcoded passwords within the programme to disable authentication.
Patches available for both Enterprise Manager 10.5 and 10.7 force users to set new credentials in their installations for the Admin and Guest accounts. The repair also demands that the link be manually restored between Solution Manager / Focused Run and Introscope.
Another Hot News Security Note released on October 2020 Patch Day brings SAP Business Client updates for the Chromium browser. Initially, the safety note was released in April 2018 and periodic updates are provided by SAP.
This month , two high-priority patches address CVE-2020-6367, a cross-cite ccripting (XSS) problem in NetWeaver Composite Application Framework, and CVE-2020-6366, missing NetWeaver (Compare Systems) XML validation.
SAP also revised four high-priority Security Notices in NetWeaver (ABAP) and ABAP Platform dealing with a code injection vulnerability (CVE-2020-6296), missed permission search (CVE-2020-6309) in NetWeaver AS JAVA, disclosure of knowledge (CVE-2020-6237) in Business Artifacts Business Intelligence Platform, and elevation of rights (CVE-2020-6236) in Landscape Management.
Eleven other Security Notes resolve medium-priority vulnerabilities: numerous 3D Visual Enterprise Viewer glitches, Business Artifacts Business Intelligence server-side request forgery, NetWeaver reverse tabnabbing, NetWeaver disclosure of details, Banking Services incorrect authorization, and NetWeaver, Commerce Cloud, and Business Preparation and Consolidation XSS.
SAP ‘s October 2020 Patch Day includes an update to a medium-priority Security Note dealing with a missing ERP (HCM Travel Management) authorization check and a Note addressing Commerce Cloud ‘s low severity insufficient session expiration problem.