Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Vulnerability in CA Introscope Enterprise Manager

The updates released by SAP for October 2020 include 15 Security Notes, including one that addresses a critical vulnerability. Six previously released Patch Day Security Notes were updated.

The updates released by SAP for October 2020 include 15 Security Notes, including one that addresses a critical vulnerability. Six previously released Patch Day Security Notes were updated.

Featuring a CVSS score of 10, the critical flaw is an OS command injection vulnerability that affects CA Introscope Enterprise Manager version 10.7.0.304 or lower (impacted products include Solution Manager and Focused Run). The bug is tracked as CVE-2020-6364.

An attacker able to exploit the vulnerability could inject OS commands and gain full control of the host on which CA Introscope Enterprise Manager is running. The flaw is remotely exploitable, without authentication, which contributes to its high CVSS score, Onapsis, a firm that specializes in securing Oracle and SAP applications, explains.

SAP customers are advised “to patch Introscope Enterprise Manager to the highest patch level of Enterprise Manager 10.7,” Onapsis says.

SAP has released a patch for Enterprise Manager 10.5.2.113 and all previous releases need to be updated to this version to apply the fix. However, with the upgrade effort similar to upgrading to version 10.7 and with 10.5 reaching end of support in December 2020, going straight to 10.7 is the best option.

A second vulnerability addressed in CA Introscope Enterprise Manager this month is CVE-2020-6369 (CVSS score of 7.5). Hardcoded credentials within the application can be exploited by remote attackers to bypass authentication.

Patches that are available for both Enterprise Manager 10.5 and 10.7 force users to set new credentials for the Admin and Guest accounts in their installations. The fix also requires that the connection between Solution Manager/Focused Run and Introscope be restored manually.

One other Hot News Security Note released on October 2020 Patch Day brings updates for the Chromium browser in SAP Business Client. The security note was initially released in April 2018 and SAP delivers periodical updates for it.

Advertisement. Scroll to continue reading.

Two high-priority patches this month address CVE-2020-6367, a cross-cite ccripting (XSS) issue in NetWeaver Composite Application Framework, and CVE-2020-6366, missing XML validation in NetWeaver (Compare Systems).

SAP also updated four high-priority Security Notes dealing with a code injection flaw (CVE-2020-6296) in NetWeaver (ABAP) and ABAP Platform, missing authorization check (CVE-2020-6309) in NetWeaver AS JAVA, information disclosure (CVE-2020-6237) in Business Objects Business Intelligence Platform, and privilege escalation (CVE-2020-6236) in Landscape Management.

Eleven other Security Notes deal with medium-priority vulnerabilities: multiple bugs in 3D Visual Enterprise Viewer, server-side request forgery in BusinessObjects Business Intelligence, reverse tabnabbing in NetWeaver, information disclosure in NetWeaver, incorrect authorization in Banking Services, and XSS in NetWeaver, Commerce Cloud, and Business Planning and Consolidation.

SAP’s October 2020 Patch Day includes an update to a medium-priority Security Note that deals with a missing authorization check in ERP (HCM Travel Management) and one Note dealing with a low severity insufficient session expiration issue in Commerce Cloud.

Related: Critical Access Control Vulnerability Patched in SAP Marketing

Related: SAP Releases August 2020 Security Updates

Related: Open Source Tool Checks SAP Systems for RECON Attack IOCs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.