On 10.03.2020 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within BI/BO platform.
SAP Note 2826782 addresses "[CVE-2020-6196] Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)" to prevent denial of service (dos) with a high risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specificationSAP BusinessObjectsMobile allows an unauthenticated attracker could render an servlet unresponsive causing a denial of service.
MobileBIService now validates the authenticity of notification requests. If it is from an unauthorized source, the request is discarded. If the request is from an authorized source, the request payload is parsed and processed.
SAP BusinessObjects Business Intelligence suite is an analytics platform allowing SAP customers to make better decisions based on their business data. SAP BI is a module meant for producing business insights and expands its power in combination with HANA DB and also exists as BW/4 HANA. Due to processing sensitive business data, the Data security is of utmost importance.
The advisory is valid for
- 7.5 [CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)
- 7.5 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
- 7.5 [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)
- 7.5 Denial of service (DOS) in SAP Commerce
- 6.5 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer