====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN578
_____________________________________________________________________

DATE                : 19/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP Solution Manager and SAP
                                              Focused Run,
                     SAP Business Client,
                     SAP NetWeaver AS ABAP,
                     SAP NetWeaver AS JAVA and SAP Commerce,
                  SAP Business Objects Business Intelligence Platform,
                     SAP Landscape Management,
                     SAP Adaptive Extensions,
                     SAP 3D Visual Enterprise Viewer,
                     SAP Commerce Cloud,
                     SAP Business Planning and Consolidation,
                     SAP ERP (HCM Travel Management),
                     SAP Banking Services.

=====================================================================
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
_____________________________________________________________________

SAP Security Patch Day – October 2020


    Created by Risham Guram, last modified by Aditi Kulkarni on Oct 14, 2020



This post by SAP Product Security Response Team shares information on
Patch Day Security Notes* that are released on second Tuesday of every
month and fix vulnerabilities discovered in SAP products. SAP strongly
recommends that the customer visits the Support Portal and applies
patches on a priority to protect their SAP landscape.


On 13th of October 2020, SAP Security Patch Day saw the release of 15
Security Notes. There were 6 updates to previously released Patch Day
Security Notes.


List of security notes released on October Patch Day:

Note#       Title     Priority        CVSS

2969828	[CVE-2020-6364] OS Command Injection Vulnerability in CA
Introscope Enterprise Manager (Affected Products: SAP Solution Manager
and SAP Focused Run)
Product - SAP Solution Manager (CA Introscope Enterprise Manager) and
SAP Focused Run (CA Introscope Enterprise Manager), Versions -
WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7	Hot News	10

2622660	Update to security note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with
SAP Business Client
Product - SAP Business Client, Version - 6.5	Hot News	9.8

2941667	Update to security note released on August 2020 Patch Day:
[CVE-2020-6296] Code Injection Vulnerability in SAP NetWeaver (ABAP) and
ABAP Platform
Product - SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 700,
701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755 	High	8.3

2972661	[CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP
NetWeaver Composite Application Framework
Product- SAP NetWeaver Composite Application Framework, Versions - 7.20,
7.30, 7.31, 7.40, 7.50	High	8.2

2969457	[CVE-2020-6366] Missing XML Validation in SAP NetWeaver (Compare
Systems)
Product - SAP NetWeaver (Compare Systems), Versions - 7.20, 7.30, 7.31,
7.40, 7.50	High	7.6

2971638	[CVE-2020-6369] Hard-coded Credentials in CA Introscope
Enterprise Manager (Affected products: SAP Solution Manager and SAP
Focused Run)
Product - CA Introscope Enterprise Manager (Affected products: SAP
Solution Manager and SAP Focused Run), Versions - 9.7, 10.1, 10.5, 10.7
	High	7.5

2941315	Update to security note released on August 2020 Patch Day:
[CVE-2020-6309] Missing Authentication check in SAP NetWeaver AS JAVA
Product - SAP NetWeaver AS JAVA (ENGINEAPI versions - 7.10, 7.10; WSRM
versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 and J2EE-FRMW
versions - 7.10, 7.11)	High	7.5

2898077	Update to security note released on April 2020 Patch Day:
[CVE-2020-6237] Information Disclosure in SAP Business Objects Business
Intelligence Platform (dswsbobje Web Application)
Product - SAP Business Objects Business Intelligence Platform, Versions
- 4.1, 4.2 	High	7.5

2902456	Update to security note released on April 2020 Patch Day:
[CVE-2020-6236] Privilege Escalation in SAP Landscape Management (SAP
Adaptive Extensions)
Product - SAP Landscape Management, Version - 3.0
Product-SAP Adaptive Extensions, Version - 1.0  	High	7.2

2956398	[CVE-2020-6319] Cross-Site Scripting (XSS) vulnerability in SAP
NetWeaver AS Java
Product - SAP NetWeaver Application Server Java, Versions - 7.10, 7.11,
7.20, 7.30, 7.31, 7.40, 7.50	Medium	6.1

2973497	[CVE-2020-6315] Multiple Vulnerabilities in SAP 3D Visual
Enterprise Viewer Additional CVEs - CVE-2020-6372, CVE-2020-6373,
CVE-2020-6374, CVE-2020-6375, CVE-2020-6376
Product - SAP 3D Visual Enterprise Viewer, Version - 9   Medium	5.7

2917381	[CVE-2020-6272] Cross-Site Scripting (XSS) vulnerability in SAP
Commerce Cloud
Product - SAP Commerce Cloud, Versions - 1808, 1811, 1905, 2005 	
Medium	5.4

2960825	[CVE-2020-6368] Cross-Site Scripting (XSS) vulnerability in SAP
Business Planning and Consolidation
Product - SAP Business Planning and Consolidation, Versions - 750, 751,
752, 753, 754, 755, 810, 100, 200 	Medium	5.4

2949196	Update to security note released on August 2020 Patch Day:
[CVE-2020-6301] Missing Authorization check in SAP ERP (HCM Travel
Management)
Product - SAP ERP (HCM Travel Management); Versions - 600, 602, 603,
604, 605, 606, 607, 608 	Medium	5.4

2943844	[CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP
BusinessObjects Business Intelligence Platform (Web Services)
Product - SAP BusinessObjects Business Intelligence Platform (Web
Services), Versions - 410, 420, 430 	Medium	5.3

2939419	[CVE-2020-6370] Cross-Site Scripting (XSS) vulnerability in SAP
NetWeaver (DI Design Time Repository)
Product - SAP NetWeaver (DI Design Time Repository), Versions - 7.11,
7.30, 7.31, 7.40, 7.50	Medium	4.8

2965315	[CVE-2020-6365] Reverse Tabnabbing vulnerability in SAP
NetWeaver AS Java Start Page
Product - SAP NetWeaver Application Server Java, Versions - 7.10, 7.11,
7.20, 7.30, 7.31, 7.40, 7.50
	Medium	4.7
2960329	[CVE-2020-6323] Cross-Site Scripting (XSS) vulnerability in SAP
NetWeaver Enterprise Portal (Fiori Framework Page)
Product - SAP NetWeaver Enterprise Portal (Fiori Framework Page),
Versions - 7.50, 7.31, 7.40	Medium	4.4

2963137	[CVE-2020-6371] Information disclosure in SAP NetWeaver AS ABAP
via the POWL Test Feeder endpoint
Product - SAP NetWeaver Application Server ABAP (POWL test application),
Versions - 710, 711, 730, 731, 740, 750	Medium	4.3

2953212	[CVE-2020-6362] Incorrect Authorization in SAP Banking Services
Product - SAP Banking Services, Version - 500	Medium	4.3

2965287	[CVE-2020-6363] Insufficient Session Expiration in SAP Commerce
Cloud
Product - SAP Commerce Cloud, Versions - 1808, 1811, 1905, 2005	Low  3.7



* Patch Day Security Notes are all notes that appear under the category
of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will
be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published
or updated after September 8, 2020, go to Launchpad Expert Search →
Filter 'SAP Security Notes' released between 'September 9, 2020 -
October 13, 2020' → Go.

To know more about the security researchers and research companies who
have contributed for security patches of this month, visit SAP Product
Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on
this blog post.

SAP Product Security Response Team


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================