Enterprise software maker SAP released its May security patches, which cover six critical issues in several of its products, three of them with a severity score very close to maximum.
All but one of these flaws are remotely exploitable, require no user interaction, and have a low attack complexity. Not all of them are new vulnerabilities, though; one of them is an update to a security note from April 2018.
These are different from the security issues the company announced last week, which impact cloud-based products and will get a fix before the end of the second quarter of the year.
Critical bug alerts
SAP’s May 2020 Security Patch Day includes almost two dozen alerts for various types of vulnerabilities and half of them are for critical and high-severity bugs.
The gravest of them is tracked as CVE-2020-6262 and has a severity score of 9.9 out of 10. It is a code injection vulnerability in Service Data Download and impacts multiple versions of SAP Application Server ABAP (2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740).
Second most serious security flaw on the list is CVE-2020-6242, with a severity rating of 9.8. It is a lack of authentication check in SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.X.
A security update for the Chromium browser shipped with SAP Business client is also listed as critical (9.8), based on the Common Vulnerability Scoring System (CVSS) version 3.
Another code injection was addressed in the backup server of SAP Adaptive Server Enterprise (ASE) version 16.0. Identified as CVE-2020-6248, its severity is calculated at 9.1.
The same score was given to an update to a security note on April 2020 Patch Day, tracked as CVE-2020-6219 – a deserialization of untrusted data in SAP Business Objects Business Intelligence Platform (CR .Net SDK WebForm Viewer) versions 4.1 and 4.2.
An information disclosure flaw – CVE-2020-6252 (9.0) – in SAP ASE’s graphical administration tool, Cockpit, is the last on the list of critical vulnerabilities the company addresses with this week’s patches.
SAP also addressed other high and medium-severity security vulnerabilities impacting Adaptive Server Enterprise and some of its components:
- – an SQL injection bug, CVE-2020-6241 (8.8)
- – a code injection in SAP ASE’s XP server on Windows platform, CVE-2020-6243 (8)
- – an SQL injection affecting SAP ASE’s Web Services, CVE-2020-6253 (7.2)
- – an information disclosure, CVE-2020-6250 (6.8)
- – missing authorization check, CVE-2020-6259 (6.5)
SAP customers are strongly recommended to prioritize applying this month’s patches, available via the company’s support portal.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.