Skip to content
SAP security Patch day

SAP Security Patch Day – November 2020

Christoph Nagy
Managing director
November 10, 2020
5 min read
Chapters

Share Article

Winter is coming. While the weather is getting cold outside the SAP Security Experts seem to be on fire. Today, like every second Tuesday of a month, 10th November 2020, SAP SE released 15 security patches for its vast product portfolio. While 3 previous patches received an update 12 new Security Notes got released in November.

What is an SAP Note?

SAP patches are provided in the form of so-called Notes. These Notes are accessible for licensed customers via the online SAP SE support platform. Any SAP Note is structured in sections: Symptoms, Reason,  Prerequisites, and Solution. For security notes, one can find also the CVSS-section, describing the Common Vulnerability Scoring System (v3.0). Furthermore, a Note contains the two more sections, Software Components and Support Package Patches. While the Software Components section contains a listing of the impacted product(s) and version(s), the Support Package Patches provide information as of which version (and patch level) the vulnerability has been resolved.

Highlights of the Release

As a pre-word to the highlights section. We strongly encourage you to carefully review the patches released by the manufacturer. Whenever you can, apply the described solution instructions. A few days after Patch Tuesday we are going to provide additional information on our Advisory (abex.io/advisory) site.

We see 6 patches residing in the category “Hot News”. 3 are classified as “High” and 6 with severity “Medium”.

Note 2985866 and 2890213 are relevant for all customers running SAP Solution Manager 7.2 and a specific Support Package Patch level. According to our experts, those are severe vulnerabilities that need customer attention. We recommend you to install the patch adding the missing authentication check.

Note 2982840 fixes two vulnerabilities in the SAP Data Services. The name SAP Data Services is used for an entire family of products living in the ETL solution area. The first is classified with CVSS 9.8, allowing attackers to execute code remotely (RCE). The second part is removing the risk for Denial of Service attacks. We recommend you to upgrade the component to the corresponding Support Packages referenced by this SAP Security Note.

With a CVSS base score of 9.1, Note 2979062 addresses a Privilege escalation flaw in the UDDI Server of SAP NetWeaver Application Server JAVA. UDDI stands for Universal Description Discovery and Integration and is based on UDDI v3.0. The UDDI Project is an industry initiative that aims to enable businesses to quickly, easily, and dynamically find and carry out transactions with one another.

Summary by Severity

The November release contains a total of 15 patches for the following severities:

Severity Number
Hot News
6
High
3
Medium
6
Note Description Severity CVSS
2985866 [Multiple CVE IDs] Missing Authentication Check in SAP Solution Manager (JAVA stack)CVE IDs - CVE-2020-26821, CVE-2020-26822, CVE-2020-26823, CVE-2020-26824
Product - SAP Solution Manager (JAVA stack), Version - 7.2
Hot News
10
2890213 Update to security note released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 
Hot News
10
2982840 Multiple Vulnerabilities in SAP Data ServicesRelated CVEs - CVE-2019-0230, CVE-2019-0233
Product - SAP Data Services, Versions - 4.2
Hot News
9.8
2973735 [CVE-2020-26808] Code Injection in SAP AS ABAP and S/4 HANA (DMIS)
Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105
Hot News
9.1
2979062 [CVE-2020-26820] Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server)
Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
Hot News
9.1
2928635 Update to security note released on August 2020 Patch Day:[CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50  
Hot News
9
2984627 [CVE-2020-26815] Information Disclosure in SAP Fiori Launchpad (NewsTile Application)
Product - SAP Fiori Launchpad (News Tile Application), Versions - 750,751,752,753,754,755
High
8.6
2975189 [CVE-2020-26809] Information Disclosure in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - 1808,1811,1905,2005
High
7.5
2975170 [CVE-2020-26810] Multiple Vulnerabilities in SAP Commerce Cloud (Accelerator Payment Mock)Additional CVE ID - CVE-2020-26811
Product - SAP Commerce Cloud (Accelerator Payment Mock), Versions - 1808, 1811, 1905, 2005
High
7.5
2971954 [CVE-2020-26818] Multiple vulnerabilities in SAP NetWeaver AS ABAPAdditional CVE ID - CVE-2020-26819
Product - SAP NetWeaver AS ABAP, Versions - 731, 740, 750, 751, 752, 753, 754, 755, 782
Medium
6.5
2951325 Update to security note released on September 2020 Patch Day:[CVE-2020-6311] Improper Authorization Checks in Banking services from SAP Bank Analyzer and SAP S/4HANA Financial Products
Product - BANKING SERVICES FROM SAP 9.0(Bank Analyzer), Version - 500
Product - S/4HANA FIN PROD SUBLDGR, Version - 100
Medium
6.5
2952084 [CVE-2020-26814] Information Disclosure in SAP Process Integration (PGP Module – Business-to-Business Add On)
Product - SAP Process Integration (PGP Module – Business-to-Business Add On), Version - 1.0
Medium
4.9
2971112 [CVE-2020-26807] Incorrect Default Permissions in SAP ERP Client for E-Bilanz 1.0
Product - SAP ERP Client for E-Bilanz 1.0, Version - 1.0
Medium
4.4
2944188 [CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104
Medium
4.3
2985094 [CVE-2020-26817] Improper input validation in Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Versions - 9
Medium
4.3

Source