The updates released by SAP for October 2020 include 15 Security Notes, including one that addresses a critical vulnerability. Six previously released Patch Day Security Notes were updated.
Featuring a CVSS score of 10, the critical flaw is an OS command injection vulnerability that affects CA Introscope Enterprise Manager version 10.7.0.304 or lower (impacted products include Solution Manager and Focused Run). The bug is tracked as CVE-2020-6364.
An attacker able to exploit the vulnerability could inject OS commands and gain full control of the host on which CA Introscope Enterprise Manager is running. The flaw is remotely exploitable, without authentication, which contributes to its high CVSS score, Onapsis, a firm that specializes in securing Oracle and SAP applications, explains.
SAP customers are advised “to patch Introscope Enterprise Manager to the highest patch level of Enterprise Manager 10.7,” Onapsis says.
SAP has released a patch for Enterprise Manager 10.5.2.113 and all previous releases need to be updated to this version to apply the fix. However, with the upgrade effort similar to upgrading to version 10.7 and with 10.5 reaching end of support in December 2020, going straight to 10.7 is the best option.
A second vulnerability addressed in CA Introscope Enterprise Manager this month is CVE-2020-6369 (CVSS score of 7.5). Hardcoded credentials within the application can be exploited by remote attackers to bypass authentication.
Patches that are available for both Enterprise Manager 10.5 and 10.7 force users to set new credentials for the Admin and Guest accounts in their installations. The fix also requires that the connection between Solution Manager/Focused Run and Introscope be restored manually.
One other Hot News Security Note released on October 2020 Patch Day brings updates for the Chromium browser in SAP Business Client. The security note was initially released in April 2018 and SAP delivers periodical updates for it.
Two high-priority patches this month address CVE-2020-6367, a cross-cite ccripting (XSS) issue in NetWeaver Composite Application Framework, and CVE-2020-6366, missing XML validation in NetWeaver (Compare Systems).
SAP also updated four high-priority Security Notes dealing with a code injection flaw (CVE-2020-6296) in NetWeaver (ABAP) and ABAP Platform, missing authorization check (CVE-2020-6309) in NetWeaver AS JAVA, information disclosure (CVE-2020-6237) in Business Objects Business Intelligence Platform, and privilege escalation (CVE-2020-6236) in Landscape Management.
Eleven other Security Notes deal with medium-priority vulnerabilities: multiple bugs in 3D Visual Enterprise Viewer, server-side request forgery in BusinessObjects Business Intelligence, reverse tabnabbing in NetWeaver, information disclosure in NetWeaver, incorrect authorization in Banking Services, and XSS in NetWeaver, Commerce Cloud, and Business Planning and Consolidation.
SAP’s October 2020 Patch Day includes an update to a medium-priority Security Note that deals with a missing authorization check in ERP (HCM Travel Management) and one Note dealing with a low severity insufficient session expiration issue in Commerce Cloud.
Related: Critical Access Control Vulnerability Patched in SAP Marketing
Related: SAP Releases August 2020 Security Updates
Related: Open Source Tool Checks SAP Systems for RECON Attack IOCs