On the 13th of February 2020, SAP Security Patch Day saw the release of 15 Security Notes.
Notes by severity
|Correction with high priority||3|
|Correction with medium priority||11|
|Correction with low priority||0|
On February Patch Day SAP presents 4 high-severity Notes with 1 of them rated as HotNews.
Security Note 2622660 is a traditional opening for the most Patch Days since the first release on April 2018 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 9.8. Several new updates are presented in the Note ‘Solution’ body.
The Note 2841053 – Denial of Service (DOS) Vulnerability in SAP Host Agent – with a CVSS Score of 7.5 – describes the possibility of a denial of service attack of the SAP Host Agent authentication service by sending malicious requests by an unauthenticated attacker. The OS-based authentication may be configured to delegate authentication requests to a remote server (e.g. LDAP, Active Directory etc). To protect these OS-based authentication and infrastructure components the SAP Host Agent limits the number of parallel authentication requests.
The other two Security Notes which were rated as high priority are 2878030 – Missing Input Validation in SAP Landscape Management – with a CVSS Score of 7.2, and 2877968 with the same name and CVSS Score. These issues described could allow an attacker to inject commands with malicious content that is executed in the context of user Root or <SID>adm.