Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerability in CA Introscope Enterprise Manager

The updates released by SAP for October 2020 include 15 Security Notes, including one that addresses a critical vulnerability. Six previously released Patch Day Security Notes were updated.

The updates released by SAP for October 2020 include 15 Security Notes, including one that addresses a critical vulnerability. Six previously released Patch Day Security Notes were updated.

Featuring a CVSS score of 10, the critical flaw is an OS command injection vulnerability that affects CA Introscope Enterprise Manager version or lower (impacted products include Solution Manager and Focused Run). The bug is tracked as CVE-2020-6364.

An attacker able to exploit the vulnerability could inject OS commands and gain full control of the host on which CA Introscope Enterprise Manager is running. The flaw is remotely exploitable, without authentication, which contributes to its high CVSS score, Onapsis, a firm that specializes in securing Oracle and SAP applications, explains.

SAP customers are advised “to patch Introscope Enterprise Manager to the highest patch level of Enterprise Manager 10.7,” Onapsis says.

SAP has released a patch for Enterprise Manager and all previous releases need to be updated to this version to apply the fix. However, with the upgrade effort similar to upgrading to version 10.7 and with 10.5 reaching end of support in December 2020, going straight to 10.7 is the best option.

A second vulnerability addressed in CA Introscope Enterprise Manager this month is CVE-2020-6369 (CVSS score of 7.5). Hardcoded credentials within the application can be exploited by remote attackers to bypass authentication.

Patches that are available for both Enterprise Manager 10.5 and 10.7 force users to set new credentials for the Admin and Guest accounts in their installations. The fix also requires that the connection between Solution Manager/Focused Run and Introscope be restored manually.

Advertisement. Scroll to continue reading.

One other Hot News Security Note released on October 2020 Patch Day brings updates for the Chromium browser in SAP Business Client. The security note was initially released in April 2018 and SAP delivers periodical updates for it.

Two high-priority patches this month address CVE-2020-6367, a cross-cite ccripting (XSS) issue in NetWeaver Composite Application Framework, and CVE-2020-6366, missing XML validation in NetWeaver (Compare Systems).

SAP also updated four high-priority Security Notes dealing with a code injection flaw (CVE-2020-6296) in NetWeaver (ABAP) and ABAP Platform, missing authorization check (CVE-2020-6309) in NetWeaver AS JAVA, information disclosure (CVE-2020-6237) in Business Objects Business Intelligence Platform, and privilege escalation (CVE-2020-6236) in Landscape Management.

Eleven other Security Notes deal with medium-priority vulnerabilities: multiple bugs in 3D Visual Enterprise Viewer, server-side request forgery in BusinessObjects Business Intelligence, reverse tabnabbing in NetWeaver, information disclosure in NetWeaver, incorrect authorization in Banking Services, and XSS in NetWeaver, Commerce Cloud, and Business Planning and Consolidation.

SAP’s October 2020 Patch Day includes an update to a medium-priority Security Note that deals with a missing authorization check in ERP (HCM Travel Management) and one Note dealing with a low severity insufficient session expiration issue in Commerce Cloud.

Related: Critical Access Control Vulnerability Patched in SAP Marketing

Related: SAP Releases August 2020 Security Updates

Related: Open Source Tool Checks SAP Systems for RECON Attack IOCs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.