On the 10th of March 2020, SAP Security Patch Day saw the release of 18 Security Notes.
Notes by severity
| HotNews | 4 |
| Correction with high priority | 4 |
| Correction with medium priority | 9 |
| Correction with low priority | 1 |
Highlights
On March Patch Day SAP presents 8 high-severity Notes with 4 of them rated as HotNews.
We will start our digest today from Security Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10. Chromium systems update was proved to be essential due to their complexity and high possibility of becoming the target for a potential attack.
There is another Note with the highest CVSS Score possible – Security Note 2890213 – Missing Authentication Check in SAP Solution Manager – with a CVSS Score of 10. Due to the lack of performing any authentication for a service resulting in the complete compromise of all SMDAgents connected to the Solution Manager, the risk of systems integrity compromise is stated to be a severe threat.
The more specific Note of SAP Solution Manager security was dedicated to Diagnostics Agent. The Security Note 2845377 – Missing Authentication check in SAP Solution Manager (Diagnostics Agent) – with a CVSS Score of 9.8. Diagnostics Agent allows P4 connections from unauthenticated sources to an insecure Server port. This allows an attacker to control all remote functions on the Agent, as a result, sensitive data could be accessed and modified.
