SAP’s May 2020 Security Patch Day updates, published Tuesday by the company, include a total of 18 Security Notes and 4 updates to previous Notes, six of which are classified as Hot News.
The most important of the Notes addresses a vulnerability to code injection in NetWeaver Application Server ABAP. Tracked as CVE-2020-6262 and featuring a 9.9 CVSS ranking, the problem is that a remote-enabled function module that generates code dynamically fails to validate input sufficiently.
The bug could allow an attacker to take control of an ABAP system connected to a SolMan (Solution Manager) system. This bug affects the 2008 1 46C, 2008 1 620, 2008 1 640, 2008 1 700, 2008 1 710, and 740 versions of ABAP.
“Only the fact that an attacker requires a minimum level of permissions to exploit this vulnerability has stopped them from receiving a 10.0 CVSS,” states Onapsis, a company specializing in protecting Oracle and SAP software.
Two other Hot News Notes address vulnerabilities on the business intelligence platform Business Objects. The former addresses a failed authentication test (CVE-2020-6242, 9.8 CVSS score), while the latter addresses deserialization of untrusted data (CVE-2020-6219, 9.1 CVSS score), which is an update to an April Notice.
SAP released another update this month to a Hot News Security Note released in April 2018 that includes security patches for Business Client controls on Chromium browsers. The latest update supports version 81.0.4044.92 in Chromium.
The remaining two Hot News Notes published this week discusses a code injection in the Adaptive Server Enterprise Backup Server (CVE-2020-6248, 9.1 CVSS score), as well as an knowledge disclosure flaw in the Adaptive Server Enterprise (ASE) Cockpit (CVE-2020-6252, 9 CVSS).
SAP also published three High Priority Notes for SAP ASE to correct a SQL injection vulnerability (CVE-2020-6241, 8.8 CVSS score), a code injection bug for the XP Server portion (CVE-2020-6241, 8 CVSS score – only affects Windows platform installations), and a Web Services SQL injection (CVE-2020-6253, 7.2 CVSS score).
A Fourth High Priority Note patches Master Data Governance (MDG) code injection issue. The vulnerability is monitored as CVE-2020-6249 and has a CVSS score of 7.7.
Three other high priority notes should be added to the list, but they weren’t released on the May 2020 Security Patch Day, according to Onapsis. These include flaws in Landscape Management and ABAP Server disclosure of information, and binary planting in Business Clients.
The remaining 12 Notes released on the Security Patch Day of May 2020 are evaluated with a Medium Priority rating. They address missing authorization checks, cross-site scripting (XSS), inappropriate session management, denial of service, and other issues in Business Application, ASE, Enterprise Vulnerability Identification of Business Objects, MDG, Plant Networking, ABAP, and Identity Management.
When all the notices that were released between last month ‘s second Tuesday and this month ‘s second Tuesday are counted along with the changes to previously released notices, SAP’s May 2020 changes will contain a total of 29 security patches.