Security Experts:

Connect with us

Hi, what are you looking for?



SAP Releases 13 Security Notes on February 2020 Patch Day

SAP’s February 2020 Security Patch Day brought 13 new Security Notes and updates to 2 previously released Patch Day Security Notes.

SAP’s February 2020 Security Patch Day brought 13 new Security Notes and updates to 2 previously released Patch Day Security Notes.

The company released three new High priority Security Notes and 10 Medium priority notes this month. The updated Notes include a Hot News one and one Medium priority. 

The Hot News Security Note (CVSS score 9.8) is an update for the supported Chromium version in SAP Business Client, which was initially released on April 2018 Patch Day. 

The first of the High priority notes addresses a Denial of Service (DoS) vulnerability in SAP Host Agent (CVE-2020-6186, CVSS score 7.5). 

The issue impacts user/password authentications operations and is caused by operating system facilities that SAP Host Agent’s authentication uses, Onapsis, a company that specializes in securing Oracle and SAP products, explains. 

“These facilities often delay failed authentication requests in order to handle the negative impact of brute force authentication attacks. SAP Host Agent limits the number of parallel authentication requests so that regular authentication requests might be slowed down due to delayed responses,” Onapsis says

Mitigations include restricting access ports to the datacenter network, restricting access ports to trusted networks and addresses only, and allowing certificate-based authentication only. 

The other two High priority Notes patch missing input bugs in SAP Landscape Management (CVE-2020-6191 and CVE-2020-6192, CVSS score 7.2). These issues could allow an attacker to inject commands with malicious content that is executed in the context of user Root or <SID>adm. 

SAP also addressed a missing authorization check in ERP and S/4 HANA (CVE-2020-6188), Cross-Site Scripting (XSS) vulnerabilities in NetWeaver (CVE-2020-6193) and NetWeaver and S/4HANA (CVE-2020-6184 and CVE-2020-6185), an information disclosure in NetWeaver AS Java (CVE-2020-6190), and an HTTP response splitting flaw in NetWeaver and ABAP Platform (CVE-2020-6181). 

Other security bugs patched this month include an unprivileged access to technical data using SAPOSCOL of Host Agent (CVE-2020-6183), information disclosure in BusinessObjects BI Central Management Console (CVE-2020-6189), and missing XML validation vulnerabilities in NetWeaver (CVE-2020-6187) and Mobile Platform (CVE-2020-6177). 

Along with Security Notes released at the end of January, and Support Notes, SAP released a total of 19 Security Notes this month, Onapsis says. 

One of these is a High priority (CVSS score 7.4) Note addressing a missing authorization check in Mobile Platform Native SDK, Android, where data stored in the Federation Library was not protected by default. Thus, if the application developer did not explicitly define permissions to access the library data, it remained unprotected, according to Onapsis.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.