SAP Security Notes - May 2020 - Safe O'Clock
Book a Demo Partner with us
Book a Demo Partner with us
Back To Resources

SAP Security Notes – May 2020

May 12, 2020

On the 12th of May 2020, SAP Security Patch Day saw the release of 18 new Security Notes.

There were 4 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 6
Correction with high priority 4
Correction with medium priority 12
Correction with low priority 0

Highlights

On May Patch Day SAP presents 10 high-severity Notes with 6 of them rated as HotNews.

Firstly, we would like to overview the Security Note 2835979Code Injection vulnerability in Service Data Download – with a CVSS Score of 9.9. An attacker has the possibility to inject code that can be executed by the Service Data Download application. An attacker could thereby control the behavior of the application and the whole ABAP system. This Code Injection vulnerability could therefore lead to unauthorized execution of commands, information disclosure and DoS.

Then comes the usual Chromium systems update with the Note 2622660Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10.

SAP Business Objects, Business Intelligence Platform to be precise, receives two HotNews released Notes for this month. The first is 2885244 Security Note – Missing Authentication check in SAP Business Objects Business Intelligence Platform (Live Data Connect) – with a CVSS Score of 9.8. The server was not protected with a specific certificate to establish proper trusted authentication in the case BIPRWS application, so the potential attacker could log on to the Central Management Console without a password.

The second Note is 2863731Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CR .Net SDK WebForm Viewer) – with a CVSS Score of 9.1. This Note was re-released with updated information.

The last pack of HotNews Notes in our digest is dedicated to SAP Adaptive Server Enterprise. The Security Note 2917275Code injection in SAP Adaptive Server Enterprise (Backup Server) – with a CVSS Score of 9.1. Executing DUMP or LOAD commands by a malicious user allows him to execute arbitrary code or Code Injection due to a lack of performing the necessary validation checks in the SAP Adaptive Server Enterprise (ASE) Backup Server.

The Note 2917090Information Disclosure in SAP Adaptive Server Enterprise (Cockpit) – with a CVSS Score of 9 – tells us that under certain conditions an attacker could access sensitive and confidential information through a local network which would otherwise be restricted, therefore affecting the system’s integrity and availability.

#sapsecurity #sapvulnerabilities #sapresearch
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – October 2023

On the 10th of October 2023, SAP Security Patch Day saw the release of 6 new Security Notes. There were […]

Read more
SAP Security Notes – September 2023

On the 12th of September 2023, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – August 2023

On the 8th of August 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP News Overview for July 2023

SAP Advisory Group speaks AI ethics Last month, the regular meeting of the SAP Advisory Group on the Ethics of Artificial […]

Read more
See All Resources

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK