SAP released this week its latest package of security updates with a total of 23 security notices, including five for Hot News vulnerabilities.
The most critical of these flaws is a missing SAP Commerce XML validation flaw. Tracked as CVE-2020-6238 with a 9.3 CVSS score, the vulnerability could be remotely exploited and does not require authentication.
An intruder capable of exploiting the security issue could read confidential files and data from the network. In such restricted scenarios, the intruder may also impact the functionality of SAP and Oracle applications.
Another Hot News Security Note issued during April 2020 SAP Security Patch Day addresses an SAP NetWeaver directory traversal vulnerability (CVE-2020-6225, 9.1 CVSS).
NetWeaver Information Management is the issue, a centralised access point for users to search directories, manage files, and the like. It also allows users to upload files; however, an attacker might be able to “overwrite, erase or corrupt arbitrary files with inadequate input validation,” explains Onapsis.
Another Hot News Security Note addresses the SAP BusinessObjects.
Business Intelligence Platform deserialization vulnerability, which could lead to remote execution of an order. Tracked as CVE-2020-6219 (9.1 CVSS scoring), the problem enables parameter control for a specific variable.
SAP has also posted a Hot News Security Notice in OrientDB 3.0 to fix a code injection vulnerability. Tracked as CVE-2020-6230, the vulnerability includes authentication and the execution of scripts, with a CVSS score of 9.1.
The fifth security note published during April 2020 Security Patch Day is an update to the November 2019 Patch Day patch that fixes the SAP. SAP Diagnostics Agent’s Software Injection Vulnerability Command (CVE-2019-0330, 9.1 CVSS).
As part of the April 2020 Patch Day, a total of five high-priory safety notes were released, the main one being the absence of an authentication control in the SAP Solution Manager (Diagnostics Agent).
This vulnerability, tracked as CVE-2020-6235, can allow an attacker to read sensitivity information or exploit a component’s authentication test to access administrative or other privileged functions.
Other high priority bugs fixed by SAP included Business Objects, Business Intelligence Platform (CVE-2020-6237) information reveal the problem, and host agent privilege escalation vulnerabilities (CVE-2020-6234) and Landscape Manager 3.0/SAP (CVE-2020-6236).
The fifth high priority note is an update of the March 2020 patch day security notice, which fixes an executive code vulnerability in the Crystal Reports (Business Items Business Intelligence Platform) tracked as CVE-2020-6208, with a CVSS score of 8.1.
ERP & S/4 HANA, NetWeaver, Fiori Launchpad, Company Client, S/4 HANA, and SAP Commerce fix the medium priority vulnerabilities of all remaining Security notices.