CERT-In Advisory
CIAD-2020-0067
Multiple Vulnerabilities in SAP Products
Original Issue Date: September 30, 2020
Severity Rating: High
Software Affected
- SAP Solution Manager (User Experience Monitoring), Version - 7.2
- SAP Marketing: Versions 130, 140, 150
- SAP NetWeaver: Versions 7.0, 7.01, 7.02, 7.03, 7.1, 7.2, 7.3, 7.4, 7.4, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
- SAP Abap Platform: Versions 7.0, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.74, and 7.75
- SAP Commerce: Versions 6.7, 1808, 1811, 1905, 2005
- SAP NetWeaver AS ABAP (BSP Test Application), Versions - 700,701,702,730,731,740,750,751,752,753,754,755
- SAP Business Objects Business Intelligence suite: Versions 4.1, 4.2
- SAP 3D Visual Enterprise Viewer, Version ¿ 9
- SAP Business Objects Business Intelligence Platform (BI Workspace), Versions - 4.1, 4.2
- SAP NetWeaver (Knowledge Management), Versions - 7.30, 7.31, 7.40, 7.50
- SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE); Versions -7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
- BANKING SERVICES FROM SAP 9.0 (Bank Analyzer), Version ¿ 500
- S/4HANA FIN PROD SUBLDGR, Version - 100
- SAPUI5 (SAP_UI); Versions - 750, 751, 752, 753, 754, 755
- SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS); Versions -7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
- SAP Adaptive Server Enterprise: Versions 15.7, 16.0
- SAP Fiori Launchpad: Versions 750, 752, 753, 754, 755
Overview
Multiple Vulnerabilities have been reported in SAP Products, which could be exploited by a remote attacker to perform Cross Site Scripting attack, improper access control, session fixation, improper input validation, gain escalation of privilege, inject code, cause denial of service, perform unrestricted file upload and obtain sensitive information on the targeted system.
Description
These Vulnerabilities exist in SAP Products due to improper access restrictions in Mobile Channel Servlet, insufficient sanitization of user-supplied data, improper session management mechanism, various boundary errors, inadequate filtering with the accessing user's privileges, insufficient authentication /authorization checks, and manipulation with an unknown input.
A remote attacker could exploit these vulnerabilities by injecting arbitrary web script, tricking the victim to follow a specially crafted link and execute arbitrary HTML code in user's browser in context of vulnerable website.
Successful exploitation of these vulnerabilities could allow attacker to perform Cross Site Scripting attack, improper access control, session fixation, improper input validation, gain escalation of privilege, inject code, cause denial of service, perform unrestricted file upload and obtain sensitive information on the targeted system. This may further result in complete compromise of confidentiality, integrity and availability of the targeted system.
Solution
Apply appropriate patches as mentioned on SAP website:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700
Vendor Information
SAP
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700
References
SAP
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700
Onapsis
https://onapsis.com/blog/sap-security-notes-september-2020
CVE Name
CVE-2020-6207
CVE-2020-6318
CVE-2020-6320
CVE-2020-6296
CVE-2020-6275
CVE-2020-6311
CVE-2020-6302
CVE-2020-6324
CVE-2020-11022
CVE-2020-11023
CVE-2020-6282
CVE-2020-6326
CVE-2020-6325
CVE-2020-6283
CVE-2020-6322
CVE-2020-6327
CVE-2020-6330
CVE-2020-6333
CVE-2020-6346
CVE-2020-6350
CVE-2020-6339
CVE-2020-6356
CVE-2020-6360
CVE-2020-6361
CVE-2020-6328
CVE-2020-6341
CVE-2020-6343
CVE-2020-6351
CVE-2020-6352
CVE-2020-6358
CVE-2020-6348
CVE-2020-6349
CVE-2020-6347
CVE-2020-6337
CVE-2020-6331
CVE-2020-6332
CVE-2020-6335
CVE-2020-6314
CVE-2020-6359
CVE-2020-6344
CVE-2020-6340
CVE-2020-6336
CVE-2020-6338
CVE-2020-6334
CVE-2020-6353
CVE-2020-6329
CVE-2020-6354
CVE-2020-6345
CVE-2020-6355
CVE-2020-6342
CVE-2020-6321
CVE-2020-6357
CVE-2020-6317
CVE-2020-6357
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|