SAP this week released its latest set of security patches, which brings a total of 23 Security Notes, including five that address Hot News vulnerabilities.
The most important of the flaws is a missing XML validation vulnerability in SAP Commerce. Tracked as CVE-2020-6238 and featuring a CVSS score of 9.3, the bug could be exploited remotely and does not require authentication.
An attacker able to successfully exploit the security issue could read sensitive files and data from the system. In some limited scenarios, the attacker could even impact availability, Onapsis, a firm that specializes in securing SAP and Oracle software, reveals.
Another Hot News Security Note released as part of the April 2020 SAP Security Patch Day addresses a directory traversal vulnerability in SAP NetWeaver (CVE-2020-6225, CVSS score of 9.1).
The issue resides in NetWeaver Knowledge Management, a centralized access point that allows users to navigate folders, manage files, and the like. It also allows users to upload files, but insufficient validation of input may allow an attacker to “overwrite, delete or corrupt arbitrary files,” Onapsis explains.
Another Hot News Security Note addresses a deserialization vulnerability in SAP BusinessObjects Business Intelligence Platform, which could result in remote command execution. Tracked as CVE-2020-6219 (CVSS score of 9.1), the issue allows for the manipulation of parameters for a specific component.
SAP also issued a Hot News Security Note to address a code injection vulnerability in OrientDB 3.0. Tracked as CVE-2020-6230 and featuring a CVSS score of 9.1, the vulnerability requires authentication and script execution privileges.
The fifth Security Note released on the April 2020 Security Patch Day is an update to a patch released on the November 2019 Patch Day, which addresses an OS command injection vulnerability in SAP Diagnostics Agent (CVE-2019-0330, CVSS score of 9.1).
A total of five High Priority Security Notes were released as part of the April 2020 Patch Day, the most important of which is a missing authentication check in SAP Solution Manager (Diagnostics Agent).
Tracked as CVE-2020-6235 and featuring a CVSS score of 8.6, this vulnerability may allow an attacker to read sensitive information or abuse the lack of an authentication check in a component to access administrative or other privileged functionalities.
Other High Priority bugs SAP has addressed include an information disclosure issue in Business Objects Business Intelligence Platform (CVE-2020-6237), and privilege escalation flaws in Host Agent (CVE-2020-6234) and Landscape Management 3.0/SAP Adaptive Extensions (CVE-2020-6236).
The fifth High Priority patch is an update for a Security Note released on the March 2020 Patch Day, addressing a remote code execution bug in Business Objects Business Intelligence Platform (Crystal Reports), tracked as CVE-2020-6208 and featuring a CVSS score of 8.1.
All of the remaining Security Notes address Medium Priority vulnerabilities in Business Objects Business Intelligence Platform, ERP & S/4 HANA, NetWeaver, Fiori Launchpad, Business Client, S/4 HANA, and SAP Commerce.
Related: Critical Vulnerabilities in SAP Solution Manager Expose Companies to Attacks
Related: SAP Releases 13 Security Notes on February 2020 Patch Day
Related: SAP Releases 6 Security Notes on January 2020 Patch Day
