Critical Vulnerability Patched in SAP Commerce

SAP this week released its June 2020 security patches, which address 19 vulnerabilities across the company’s product portfolio, including two rated critical.

SAP released 17 new Security Notes on this month’s Security Patch Day, to which it added an update to a previously released Note. Additional patches were released between the second Tuesday of May 2020 and the second Tuesday of June 2020, for a total of 23 new and updated Security Notes.

The most important of these patches are two Hot News Security Notes addressing critical vulnerabilities in SAP Liquidity Management for Banking and SAP Commerce.

Tracked as CVE-2020-1938 and featuring a CVSS score of 9.8, the first critical flaw is not SAP specific, but affects Apache Tomcat instead. Called “Ghostcat,” the issue affects Apache JServ Protocol (AJP) connections and could be abused “in ways that may be surprising.”

Attackers started scanning for vulnerable Apache Tomcat servers within days after patches were made available. SAP recommends that all ports using AJP are disabled, warning of the potential for remote code execution, Onapsis, a firm specialized in securing Oracle and SAP applications, explains.

Also rated Hot News and featuring a CVSS score of 9.8 is a Security Note addressing hard-coded user credentials in SAP Commerce and SAP Commerce Data Hub (CVE-2020-6265).

“After applying the patch, a new installation of SAP Commerce will only activate the built-in “admin” account. The installer is forced to maintain an initial password for that account. Other built-in users are still created during installation, but they are inactive until an individual password is set for these accounts. The later rule also applies to all built-in users of SAP Commerce Data Hub,” Onapsis explains.

Existing SAP Commerce installations, however, remain vulnerable even after the update, as the patch does not remove the default passwords from built-in accounts. Thus, users are advised to re-initialize the SAP Commerce installation after applying the patch, or manually disable all default passwords.

Four High Priority Security Notes were included in this month’s SAP Security Patch Day: information disclosure in SAP Commerce (CVE-2020-6264), missing XML validation in SAP Solution Manager (CVE-2020-6271), missing authorization check in SAP SuccessFactors Recruitment Management (CVE-2020-6279), and server-side request forgery in SAP NetWeaver AS ABAP (CVE-2020-6275).

All of the remaining Security Notes that SAP included in this month’s set of patches have been rated Medium Priority: authentication bypass in standalone clients connecting to NetWeaver AS Java via the P4 protocol, missing authorization checks in Netweaver AS ABAP and ERP, incomplete XML validation in Solution Manager, cross-site scripting (XSS) in Netweaver, URL redirections in Fiori for S/4HANA, and information disclosures in Business One and Business Objects.

Additionally, SAP released updates for a Security Note published on the July 2019 Security Patch Day, which addresses a content injection vulnerability in SAP Gateway (CVE-2019-0319, CVSS score of 4.3).

Related: Details of Serious SAP Adaptive Server Enterprise Vulnerabilities Disclosed

Related: SAP’s May 2020 Security Updates Include Six Critical Patches

Related: SAP’s April 2020 Security Updates Patch Five Critical Vulnerabilities