Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerability Patched in SAP Commerce

SAP this week released its June 2020 security patches, which address 19 vulnerabilities across the company’s product portfolio, including two rated critical.

SAP this week released its June 2020 security patches, which address 19 vulnerabilities across the company’s product portfolio, including two rated critical.

SAP released 17 new Security Notes on this month’s Security Patch Day, to which it added an update to a previously released Note. Additional patches were released between the second Tuesday of May 2020 and the second Tuesday of June 2020, for a total of 23 new and updated Security Notes.

The most important of these patches are two Hot News Security Notes addressing critical vulnerabilities in SAP Liquidity Management for Banking and SAP Commerce.

Tracked as CVE-2020-1938 and featuring a CVSS score of 9.8, the first critical flaw is not SAP specific, but affects Apache Tomcat instead. Called “Ghostcat,” the issue affects Apache JServ Protocol (AJP) connections and could be abused “in ways that may be surprising.”

Attackers started scanning for vulnerable Apache Tomcat servers within days after patches were made available. SAP recommends that all ports using AJP are disabled, warning of the potential for remote code execution, Onapsis, a firm specialized in securing Oracle and SAP applications, explains.

Also rated Hot News and featuring a CVSS score of 9.8 is a Security Note addressing hard-coded user credentials in SAP Commerce and SAP Commerce Data Hub (CVE-2020-6265).

“After applying the patch, a new installation of SAP Commerce will only activate the built-in “admin” account. The installer is forced to maintain an initial password for that account. Other built-in users are still created during installation, but they are inactive until an individual password is set for these accounts. The later rule also applies to all built-in users of SAP Commerce Data Hub,” Onapsis explains.

Existing SAP Commerce installations, however, remain vulnerable even after the update, as the patch does not remove the default passwords from built-in accounts. Thus, users are advised to re-initialize the SAP Commerce installation after applying the patch, or manually disable all default passwords.

Four High Priority Security Notes were included in this month’s SAP Security Patch Day: information disclosure in SAP Commerce (CVE-2020-6264), missing XML validation in SAP Solution Manager (CVE-2020-6271), missing authorization check in SAP SuccessFactors Recruitment Management (CVE-2020-6279), and server-side request forgery in SAP NetWeaver AS ABAP (CVE-2020-6275).

All of the remaining Security Notes that SAP included in this month’s set of patches have been rated Medium Priority: authentication bypass in standalone clients connecting to NetWeaver AS Java via the P4 protocol, missing authorization checks in Netweaver AS ABAP and ERP, incomplete XML validation in Solution Manager, cross-site scripting (XSS) in Netweaver, URL redirections in Fiori for S/4HANA, and information disclosures in Business One and Business Objects.

Additionally, SAP released updates for a Security Note published on the July 2019 Security Patch Day, which addresses a content injection vulnerability in SAP Gateway (CVE-2019-0319, CVSS score of 4.3).

Related: Details of Serious SAP Adaptive Server Enterprise Vulnerabilities Disclosed

Related: SAP’s May 2020 Security Updates Include Six Critical Patches

Related: SAP’s April 2020 Security Updates Patch Five Critical Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet