CERT-In Advisory
CIAD-2020-0030
Multiple Vulnerabilities in SAP products
Original Issue Date: May 19, 2020
Software Affected
- SAP Application Server ABAP, Versions - 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740
- SAP Business Client, Version - 6.5
- SAP Business Objects Business Intelligence Platform (Live Data Connect), Versions - 1.0, 2.0, 2.x
- SAP Adaptive Server Enterprise (Backup Server), Version - 16.0
- SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), Versions - 4.1, 4.2
- SAP Adaptive Server Enterprise (Cockpit), Version - 16.0
- SAP Adaptive Server Enterprise (XP Server on Windows Platform), Versions - 15.7, 16.0
- SAP Master Data Governance, Versions - S4CORE 101; S4FND 102, 103, 104; SAP_BS_FND 748
- SAP Adaptive Server Enterprise (Web Services), Versions - 15.7, 16.0
- SAP Business Client, Version - 7.0
- SAP Business Objects Business Intelligence Platform, Version - 4.2
- SAP Adaptive Server Enterprise, Versions - 15.7, 16.0
- SAP Enterprise Threat Detection, Versions - 1.0, 2.0
- SAP Master Data Governance, Versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804
- SAP Business Objects Business Intelligence Platform (CMC and BI launchpad), Version - 4.2
- SAP Plant Connectivity, Versions - 15.1, 15.2, 15.3, 15.4
- SAP NetWeaver AS ABAP (Web Dynpro ABAP), Version - SAP_UI 750, 752, 753, 754; SAP_BASIS 700, 710, 730, 731, 804
- SAP Business Objects Business Intelligence Platform, Versions - before 4.1, 4.2 and 4.3
- SAP Identity Management, Version - 8.0
Overview
Multiple vulnerabilities have been reported in SAP products, which could be exploited by a remote attacker to execute arbitrary code, inject malicious code, obtain sensitive information, cause denial of service conditions, perform cross-site scripting attacks, leading to path traversal or perform other unauthorized activities on a targeted system.
Description
These vulnerabilities exist in SAP products due to incorrect hardening of the XML Parser,insufficient encoding of user-controlled inputs,unsafe deserialization error,insufficient validation of path information provided by users, use-after-free errors, improper parsing of RPT files, improper input validations and other flaws in the affected software.
A remote attacker could exploit these vulnerabilities by injecting malicious code, performing unauthorized queries, sending a specially crafted XML file & GIOP packets, which could allow the attacker to overwrite, delete, or corrupt files on a targeted system.
Successful exploitation of these vulnerabilities could allow the attacker to inject malicious code, execute arbitrary code, obtain sensitive information, cause denial of service conditions, perform cross-site scripting attacks or perform other unauthorized activities on a targeted system.
Solution
Apply appropriate patches as mentioned on SAP website:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222
Vendor Information
SAP
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222
References
SAP
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222
Onapsis
https://www.onapsis.com/blog/sap-security-notes-may-2020
CVE Name
CVE-2020-6253
CVE-2020-6262
CVE-2020-6242
CVE-2020-6248
CVE-2020-6219
CVE-2020-6252
CVE-2020-6241
CVE-2020-6243
CVE-2020-6249
CVE-2020-6244
CVE-2020-6250
CVE-2020-6245
CVE-2020-6247
CVE-2020-6251
CVE-2020-6259
CVE-2020-6254
CVE-2020-6256
CVE-2020-6257
CVE-2020-6240
CVE-2019-0352
CVE-2020-6258
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|