On the 9th of June 2020, SAP Security Patch Day saw the release of 17 new Security Notes.
There was 1 update to previously released Patch Day Security Notes.
Notes by severity
|Correction with high priority||4|
|Correction with medium priority||12|
|Correction with low priority||0|
On June Patch Day SAP presents 6 high-severity Notes with 2 of them rated as HotNews.
Our digest for today starts with 2928570 Security Note – ‘Ghostcat’ Apache Tomcat AJP Vulnerability in SAP Liquidity Management for Banking – with a CVSS Score of 9.8. The remote code execution is allowed by Apache Tomcat AJP vulnerability codenamed as ‘Ghostcat’. Due to low complexity and network attack vector, we suggest your Banking security specialists apply the listed solution.
The next HotNews security note to discuss is 2918924 – Use of Hard-coded Credentials in SAP Commerce and SAP Commerce Datahub – with the same CVSS Score of 9.8 as above. By means of default credentials, an attacker is allowed to bypass the authentication that the system administrator has configured. Through vulnerability exploitation, an attacker has the possibility of arbitrary code execution and exposing certain resources or functionality to unintended users.
Another High-severity Note should be highlighted here – 2906366 – Information Disclosure in SAP Commerce – with a CVSS Score of 8.6. Through this vulnerability of SAP Commerce, system configuration confidentiality could be compromised by a malicious user, resulting in the loss of sensitive information.