On the 12th of November 2019, SAP Security Patch Day saw the release of 15 Security Notes.
Notes by severity
|Correction with high priority||1|
|Correction with medium priority||10|
|Correction with low priority||0|
On November Patch Day SAP presents 4 HotNews Security Notes.
We will start with Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with the CVSS Score of 10. Another SAP Business Client version has been added to the ‘Solution’ section of the Note.
The rest three HotNews Notes are dedicated to the OS Command Injection vulnerability in SAP Diagnostics Agent issue. The original one is 2808158 – with a CVSS Score of 9.1 – and the updates follow. The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.
The first update listed, Note 2823733 – Update 1 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent with the same CVSS Score – replaces the corrections provided by Note 2808158. Right after the first update came the second – Update 2 – presented in Note 2839864. These consecutive updates were required because the security notes 2808158 and 2823733 Notes do not address all identified attack scenarios. Such scenarios could be found in the Update 2 ‘Solution’ section.