Software Affected 
•SAP Application Server ABAP, Versions -  2008_1_46C, 2008_1_620,
2008_1_640, 2008_1_700, 2008_1_710, 740
•SAP Business Client, Version - 6.5
•SAP Business Objects Business Intelligence Platform (Live Data
Connect), Versions - 1.0, 2.0, 2.x
•SAP Adaptive Server Enterprise (Backup Server), Version -  16.0
•SAP Business Objects Business Intelligence Platform (CrystalReports
WebForm Viewer), Versions - 4.1, 4.2
•SAP Adaptive Server Enterprise (Cockpit), Version - 16.0
•SAP Adaptive Server Enterprise (XP Server on Windows Platform),
Versions - 15.7, 16.0
•SAP Master Data Governance, Versions - S4CORE 101; S4FND 102, 103, 104;
SAP_BS_FND 748
•SAP Adaptive Server Enterprise (Web Services), Versions - 15.7, 16.0 
•SAP Business Client, Version - 7.0
•SAP Business Objects Business Intelligence Platform, Version - 4.2
•SAP Adaptive Server Enterprise, Versions - 15.7, 16.0
•SAP Enterprise Threat Detection, Versions - 1.0, 2.0
•SAP Master Data Governance, Versions - 748, 749, 750, 751, 752, 800,
801, 802, 803, 804 
•SAP Business Objects Business Intelligence Platform (CMC and BI
launchpad), Version - 4.2
•SAP Plant Connectivity, Versions - 15.1, 15.2, 15.3, 15.4
•SAP NetWeaver AS ABAP (Web Dynpro ABAP), Version - SAP_UI 750, 752,
753, 754; SAP_BASIS 700, 710, 730, 731, 804
•SAP Business Objects Business Intelligence Platform, Versions - before
4.1, 4.2 and 4.3
•SAP Identity Management, Version - 8.0

Overview 
Multiple vulnerabilities have been reported in SAP products, which could be
exploited by a remote attacker to execute arbitrary code, inject malicious
code, obtain sensitive information, cause denial of service conditions,
perform cross-site scripting attacks, leading to path traversal or perform
other unauthorized activities on a targeted system. 

Description
These vulnerabilities exist in SAP products due to incorrect hardening of
the XML Parser,insufficient encoding of user-controlled inputs,unsafe
deserialization error,insufficient validation of path information provided
by users, use-after-free errors, improper parsing of RPT files, improper
input validations and other flaws in the affected software. 

A remote attacker could exploit these vulnerabilities by injecting
malicious code, performing unauthorized queries, sending a specially
crafted XML file & GIOP packets,  which could allow the attacker to
overwrite, delete, or corrupt files on a targeted system. 

Successful exploitation of these vulnerabilities could allow the attacker
to inject malicious code, execute arbitrary code, obtain sensitive
information, cause denial of service conditions, perform cross-site
scripting attacks or perform other unauthorized activities on a targeted
system.

Solution 
Apply appropriate patches as mentioned on SAP website:   
Vendor Information

SAP

References
SAP
Onapsis
CVE Name
CVE-2020-6253
CVE-2020-6262
CVE-2020-6242
CVE-2020-6248
CVE-2020-6219
CVE-2020-6252
CVE-2020-6241
CVE-2020-6243
CVE-2020-6249
CVE-2020-6244
CVE-2020-6250
CVE-2020-6245
CVE-2020-6247
CVE-2020-6251
CVE-2020-6259
CVE-2020-6254
CVE-2020-6256
CVE-2020-6257
CVE-2020-6240
CVE-2019-0352
CVE-2020-6258

About Cert Advisory

We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.

View all posts [..]

© Copyright 2020. Designed By Templateify

© Copyright 2020. Ud64

Scroll to Top