Vulnerability

CERT-In Vulnerability Note CIVN-2020-0432
Multiple Vulnerabilities in SAP Products

Original Issue Date:December 10, 2020

Severity Rating: HIGH

Software Affected

SAP NetWeaver AS JAVA (P2P Cluster Communication), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
SAP BusinessObjects BI Platform (Crystal Report), Versions - 4.1, 4.2, 4.3
SAP Business Warehouse, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782
SAP BW4HANA, Versions - 100, 200
SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105
SAP Solution Manager (User Experience Monitoring), Version - 7.20
SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105
SAP NetWeaver Application Server for Java, Versions - 7.31, 7.40, 7.50
SAP Disclosure Management, Version - 10.1
SAP NetWeaver AS JAVA (Key Storage Service), Versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50
SAP NetWeaver AS ABAP, Versions - 740, 750, 751, 752, 753, 754
SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54
SAP UI 700, Version - 2.0
SAP HANA Database, Version - 2.0
SAP Solution Manager (Trace Analysis), Version - 7.20

Overview

Multiple Vulnerabilities have been reported in SAP Products which could be exploited by a remote attacker to perform code injection attack, Cross Site Scripting attack, Missing XML Validation, Unrestricted File Upload, Formula Injection attack or perform other unauthorized activities on the targeted system.

Description

These vulnerabilities exist in SAP products due to inadequate filtering with the accessing users privileges, insufficient authentication checks, insufficient authorization check, incorrect hardening of the XML Parser, insufficient encoding of user controlled inputs, unsafe error and other flaws in the affected software.

A remote attacker could exploit these vulnerabilities by accessing user having administrative privileges and injecting malicious code, performing unauthorized queries, sending a specially crafted XML file and GIOP packets, downloading zip files to a specific directory and accessing confidential system configuration information.
Successful exploitation of these vulnerabilities could allow attacker to perform code injection attack, Cross Site Scripting attack, Missing XML Validation, Unrestricted File Upload, Formula Injection attack or perform other unauthorized activities on the targeted system.

Solution

Apply appropriate updates as mentioned in the vendor advisory:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

Vendor Information

SAP
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

References

SAP
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

CVE Name
CVE-2020-26808
CVE-2020-26816
CVE-2020-26826
CVE-2020-26828
CVE-2020-26829
CVE-2020-26831
CVE-2020-26832
CVE-2020-26834
CVE-2020-26835
CVE-2020-26836
CVE-2020-26837
CVE-2020-26838

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India