May 2020 security updates for SAP include six critical patches
The updates released by SAP on the day of the security update in May 2020 and released on Tuesday included a total of 18 security updates and 4 updates from previous security updates, six of which were classified as Hot News.
The most important remark concerns the vulnerability to code injection in the NetWeaver ABAP application server. If CVE-2020-6262 is continued with CVSS 9.9, the problem arises because the external function module that generates the code dynamically cannot check the input signal sufficiently. Try this out Azure Cloud Management.
The error may allow an attacker to take control of an ABAP system connected to the Solution Manager system (SolMan). Navigate here Outsource Support in India. The disadvantages are ABAP expenditures 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710 and 740.
The mere fact that an attacker needed a minimum of authorization to exploit this vulnerability prevented him from getting CVSS 10.0, explains Onapsis, a company that specializes in protecting Oracle and SAP applications.
The other two newsletters focus on vulnerabilities in the Business Objects business analytics platform. The first corrects missing authentication (CVE-2020-6242, CVSS 9.8 rating) and the second corrects deserialization of unreliable data (CVE-2020-6219, CVSS 9.1 rating), but is an update of the April record.
This month, SAP released a new update to the Hot News security advice, released in April 2018, which includes security fixes for chromium browser controls at a corporate customer. The new update supports chrome version 81.0.4044.92.
The other two hot topics this week are code injection into the Adaptive Server Enterprise backup server (CVE-2020-6248, CVSS score 9.1) and Adaptive Server Enterprise (ASE) cockpit deployment errors (CVE-2020-6252, CVSS score 9).
SAP has also issued three high-priority notes for SAP ASE to address an SQL injection error (CVE-2020-6241, CVSS Note 8.8), a code injection error in the XP server component (CVE-2020-6241, CVSS Note 8 – for installations on Windows platforms only), and SQL injection in web services (CVE-2020-6253, CVSS Note 7.2).
The fourth high priority note corrects the problem of integrating the code into the Master Data Management System (MDMS). The vulnerability is referred to as CVE-2020-6249 and is given a CVSS assessment of 7.7.
According to Onapsis, three other high-priority notes should be added to the list, although they were not published on the day of the security patch in May 2020. These include weaknesses in the provision of information in the Landscape Management and ABAP server, as well as binary landings in the Business Client.
The remaining 12 bonds issued in May 2020 are classified as medium priority bonds. These include missing authorization checks, cross-site scripting (XSS), poor session management, denial of service and other issues with business customers, ASE, detection of business threats with business objects, WCO, business connectivity, ABAP and identity management.
Taking into account all notes issued between the second Tuesday of the previous month and the second Tuesday of this month, as well as updates to previously issued notes, SAP updates for May 2020 include a total of 29 security patches.
That’s what it looks like: SAP alerts customers to vulnerabilities in cloud products.
That’s what it looks like: SAP has identified five critical vulnerabilities by April 2020.