SAP today released its security patches for August, alerting of new critical and high-severity vulnerabilities in several of its products, mostly NetWeaver Application Server (AS). The full list includes 16 advisories, almost half of them being for bugs that SAP customers should prioritize patching. SAP has also updated its security note for the maximum severity RECON vulnerability with a related bug that could enable an unauthenticated attacker to access various folders in the directory structure. The developer also updated the July 2020 Patch Day security note for RECON, a critical issue disclosed by researchers at cybersecurity firm Onapsis, who said that it impacted more than 40,000 SAP customers. Two days after disclosure, proof-of-concept  exploit code emerged and researchers recorded active scans for devices vulnerable to RECON. The new CVE for this advisory is CVE-2020-6286, which affects the LM configuration wizard in SAP NetWeaver AS Java. It stems from insufficient input path validation of a specific parameter in the web service of the product. While its severity score is medium (5.3/10), exploiting it does not require authentication and can enable an attacker to hop to other folders after downloading archive files (ZIP) to a specific directory.

Seven high-risk issues, one critical

However, the most important flaw in the list is a cross-site scripting (XSS) issue in the Knowledge Management component of NetWeaver AS, which received the identification number CVE-2020-6284 and has a critical severity score of 9/10. The same component received a fix for allowing unrestricted file upload (CVE-2020-6293). A missing authentication check has been fixed in SAP’s business intelligence platform BusinessObjects. Tracked as CVE-2020-6294, the bug has a high-severity rating of 8.5 and affects versions 4.2 and 4.3. In SAP Business Services (Generic Market Data), the developer addressed an issue now known as CVE-2020-6298 and with a slightly lower score, 8.3, referring to missing authorization. Several versions of NetWeaver (ABAP Server) and ABAP Platform have a code injection vulnerability (CVE-2020-6296) rated with a severity impact of 8.3.

SAP provides patches for another missing authentication check (CVE-2020-6309) discovered in various components of NetWeaver AS Java (EngineAPI, WSRM, ServerCore, and J2EE-FRMW).

Last on the list of more noteworthy updates is an information disclosure (CVE-2020-6295) in SAP Adaptive Server Enterprise version 16.0, with a calculated severity score of 7. Details for these bugs are still under wraps but SAP customers can learn the particularities by logging into their SAP ONE support launchpad account. A summary of all the vulnerabilities addressed in today’s security updates from SAP is available here.