cnvd-2020-65563
Vulnerability from cnvd
Title
SAP Solution Manager和SAP Focused Run操作系统命令注入漏洞
Description
SAP Solution Manager是一套集系统监控、SAP支持桌面、自助服务、ASAP实施等多个功能为一体的系统管理平台。该平台可以帮助客户建立SAP解决方案的生命周期管理,并提供系统监控、远程支持服务和SAP产品组件升级等功能。SAP Focused Run是一个数据中心和大客户系统运维管理方案(高容量监控,警报,诊断和分析的终极解决方案)。
SAP Solution Manager和SAP Focused Run WILY_INTRO_ENTERPRISE 9.7、10.1、10.5和10.7版本存在操作系统命令注入漏洞。攻击者可利用该漏洞修改Cookie,使其可以执行OS命令,并有可能获得对运行CA Introscope Enterprise Manager的主机的控制权,导致代码注入。
Severity
高
VLAI Severity ?
Patch Name
SAP Solution Manager和SAP Focused Run操作系统命令注入漏洞的补丁
Patch Description
SAP Solution Manager是一套集系统监控、SAP支持桌面、自助服务、ASAP实施等多个功能为一体的系统管理平台。该平台可以帮助客户建立SAP解决方案的生命周期管理,并提供系统监控、远程支持服务和SAP产品组件升级等功能。SAP Focused Run是一个数据中心和大客户系统运维管理方案(高容量监控,警报,诊断和分析的终极解决方案)。
SAP Solution Manager和SAP Focused Run WILY_INTRO_ENTERPRISE 9.7、10.1、10.5和10.7版本存在操作系统命令注入漏洞。攻击者可利用该漏洞修改Cookie,使其可以执行OS命令,并有可能获得对运行CA Introscope Enterprise Manager的主机的控制权,导致代码注入。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
Reference
https://vigilance.fr/vulnerability/SAP-multiple-vulnerabilities-of-October-2020-33549
Impacted products
| Name | ['SAP SAP Focused Run 9.7', 'SAP SAP Focused Run 10.1', 'SAP SAP Focused Run 10.5', 'SAP SAP Focused Run 10.7', 'SAP SAP Solution Manager 9.7', 'SAP SAP Solution Manager 10.1', 'SAP SAP Solution Manager 10.5', 'SAP SAP Solution Manager 10.7'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2020-6364",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-6364"
}
},
"description": "SAP Solution Manager\u662f\u4e00\u5957\u96c6\u7cfb\u7edf\u76d1\u63a7\u3001SAP\u652f\u6301\u684c\u9762\u3001\u81ea\u52a9\u670d\u52a1\u3001ASAP\u5b9e\u65bd\u7b49\u591a\u4e2a\u529f\u80fd\u4e3a\u4e00\u4f53\u7684\u7cfb\u7edf\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u53ef\u4ee5\u5e2e\u52a9\u5ba2\u6237\u5efa\u7acbSAP\u89e3\u51b3\u65b9\u6848\u7684\u751f\u547d\u5468\u671f\u7ba1\u7406\uff0c\u5e76\u63d0\u4f9b\u7cfb\u7edf\u76d1\u63a7\u3001\u8fdc\u7a0b\u652f\u6301\u670d\u52a1\u548cSAP\u4ea7\u54c1\u7ec4\u4ef6\u5347\u7ea7\u7b49\u529f\u80fd\u3002SAP Focused Run\u662f\u4e00\u4e2a\u6570\u636e\u4e2d\u5fc3\u548c\u5927\u5ba2\u6237\u7cfb\u7edf\u8fd0\u7ef4\u7ba1\u7406\u65b9\u6848(\u9ad8\u5bb9\u91cf\u76d1\u63a7,\u8b66\u62a5,\u8bca\u65ad\u548c\u5206\u6790\u7684\u7ec8\u6781\u89e3\u51b3\u65b9\u6848)\u3002\n\nSAP Solution Manager\u548cSAP Focused Run WILY_INTRO_ENTERPRISE 9.7\u300110.1\u300110.5\u548c10.7\u7248\u672c\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4fee\u6539Cookie\uff0c\u4f7f\u5176\u53ef\u4ee5\u6267\u884cOS\u547d\u4ee4\uff0c\u5e76\u6709\u53ef\u80fd\u83b7\u5f97\u5bf9\u8fd0\u884cCA Introscope Enterprise Manager\u7684\u4e3b\u673a\u7684\u63a7\u5236\u6743\uff0c\u5bfc\u81f4\u4ee3\u7801\u6ce8\u5165\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-65563",
"openTime": "2020-11-23",
"patchDescription": "SAP Solution Manager\u662f\u4e00\u5957\u96c6\u7cfb\u7edf\u76d1\u63a7\u3001SAP\u652f\u6301\u684c\u9762\u3001\u81ea\u52a9\u670d\u52a1\u3001ASAP\u5b9e\u65bd\u7b49\u591a\u4e2a\u529f\u80fd\u4e3a\u4e00\u4f53\u7684\u7cfb\u7edf\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u53ef\u4ee5\u5e2e\u52a9\u5ba2\u6237\u5efa\u7acbSAP\u89e3\u51b3\u65b9\u6848\u7684\u751f\u547d\u5468\u671f\u7ba1\u7406\uff0c\u5e76\u63d0\u4f9b\u7cfb\u7edf\u76d1\u63a7\u3001\u8fdc\u7a0b\u652f\u6301\u670d\u52a1\u548cSAP\u4ea7\u54c1\u7ec4\u4ef6\u5347\u7ea7\u7b49\u529f\u80fd\u3002SAP Focused Run\u662f\u4e00\u4e2a\u6570\u636e\u4e2d\u5fc3\u548c\u5927\u5ba2\u6237\u7cfb\u7edf\u8fd0\u7ef4\u7ba1\u7406\u65b9\u6848(\u9ad8\u5bb9\u91cf\u76d1\u63a7,\u8b66\u62a5,\u8bca\u65ad\u548c\u5206\u6790\u7684\u7ec8\u6781\u89e3\u51b3\u65b9\u6848)\u3002\r\n\r\nSAP Solution Manager\u548cSAP Focused Run WILY_INTRO_ENTERPRISE 9.7\u300110.1\u300110.5\u548c10.7\u7248\u672c\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4fee\u6539Cookie\uff0c\u4f7f\u5176\u53ef\u4ee5\u6267\u884cOS\u547d\u4ee4\uff0c\u5e76\u6709\u53ef\u80fd\u83b7\u5f97\u5bf9\u8fd0\u884cCA Introscope Enterprise Manager\u7684\u4e3b\u673a\u7684\u63a7\u5236\u6743\uff0c\u5bfc\u81f4\u4ee3\u7801\u6ce8\u5165\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "SAP Solution Manager\u548cSAP Focused Run\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"SAP SAP Focused Run 9.7",
"SAP SAP Focused Run 10.1",
"SAP SAP Focused Run 10.5",
"SAP SAP Focused Run 10.7",
"SAP SAP Solution Manager 9.7",
"SAP SAP Solution Manager 10.1",
"SAP SAP Solution Manager 10.5",
"SAP SAP Solution Manager 10.7"
]
},
"referenceLink": "https://vigilance.fr/vulnerability/SAP-multiple-vulnerabilities-of-October-2020-33549",
"serverity": "\u9ad8",
"submitTime": "2020-10-19",
"title": "SAP Solution Manager\u548cSAP Focused Run\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…