SAP Security Notes - April 2020 - Safe O'Clock

SAP Security Notes – April 2020

April 14, 2020

On the 14th of April 2020, SAP Security Patch Day saw the release of 26 Security Notes.

Notes by severity

HotNews 5
Correction with high priority 5
Correction with medium priority 16
Correction with low priority 0

Highlights

On April Patch Day SAP presents 10 high-severity Notes with 5 of them rated as HotNews.

The patch for today is rich for all kinds of severity notes, however, we will highlight the most critical HotNews, starting with 2904480Missing XML Validation vulnerability in SAP Commerce – with a CVSS Score of 9.3. SAP Commerce does not process XML input securely in certain REST XML APIs. This affects the confidentiality and partial availability of SAP Commerce.

Another Note 2900118Code Injection vulnerability in SAP OrientDB 3.0 – with a CVSS Score of 9.1 – highlights the situation when an attacker may impact existing users with Javascript functions defined in OrientDB or access to certain Java classes through the vulnerability in SAP OrientDB 3.0. An attacker could control the behavior of the application after the elevation of privileges.

The next Note to describe will be 2863731Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CR .Net SDK WebForm Viewer) – with a CVSS Score of 9.1. Crystal reports web form viewer allows an attacker with basic authorization to perform a deserialization attack in the application, which may lead to code execution upon it. To manage the vulnerability, we suggest applying the Solution steps presented for Business Objects platform security.

SAP NetWeaver also received the fix in Note 2896682Directory Traversal vulnerability in SAP NetWeaver (Knowledge Management) – with a CVSS Score of 9.1. An attacker was allowed to overwrite, delete, or corrupt arbitrary files on the remote server through the lack of path validation of the information provided by users.

Security Note 2808158 receives an ‘Update 2’ as the Note 2839864OS Command Injection vulnerability in SAP Diagnostics Agent – with a CVSS Score of 9.1. The original correction did not cover all scenarios, so the OSS note 2839864 corrects these additional ones to exclude the possibility of arbitrary code execution.

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK