SAP Security Patch Day – November 2020
Chapters
Share Article
Winter is coming. While the weather is getting cold outside the SAP Security Experts seem to be on fire. Today, like every second Tuesday of a month, 10th November 2020, SAP SE released 15 security patches for its vast product portfolio. While 3 previous patches received an update 12 new Security Notes got released in November.
What is an SAP Note?
SAP patches are provided in the form of so-called Notes. These Notes are accessible for licensed customers via the online SAP SE support platform. Any SAP Note is structured in sections: Symptoms, Reason, Prerequisites, and Solution. For security notes, one can find also the CVSS-section, describing the Common Vulnerability Scoring System (v3.0). Furthermore, a Note contains the two more sections, Software Components and Support Package Patches. While the Software Components section contains a listing of the impacted product(s) and version(s), the Support Package Patches provide information as of which version (and patch level) the vulnerability has been resolved.
Highlights of the Release
As a pre-word to the highlights section. We strongly encourage you to carefully review the patches released by the manufacturer. Whenever you can, apply the described solution instructions. A few days after Patch Tuesday we are going to provide additional information on our Advisory (abex.io/advisory) site.
We see 6 patches residing in the category “Hot News”. 3 are classified as “High” and 6 with severity “Medium”.
Note 2985866 and 2890213 are relevant for all customers running SAP Solution Manager 7.2 and a specific Support Package Patch level. According to our experts, those are severe vulnerabilities that need customer attention. We recommend you to install the patch adding the missing authentication check.
Note 2982840 fixes two vulnerabilities in the SAP Data Services. The name SAP Data Services is used for an entire family of products living in the ETL solution area. The first is classified with CVSS 9.8, allowing attackers to execute code remotely (RCE). The second part is removing the risk for Denial of Service attacks. We recommend you to upgrade the component to the corresponding Support Packages referenced by this SAP Security Note.
With a CVSS base score of 9.1, Note 2979062 addresses a Privilege escalation flaw in the UDDI Server of SAP NetWeaver Application Server JAVA. UDDI stands for Universal Description Discovery and Integration and is based on UDDI v3.0. The UDDI Project is an industry initiative that aims to enable businesses to quickly, easily, and dynamically find and carry out transactions with one another.
Summary by Severity
The November release contains a total of 15 patches for the following severities:
Severity | Number |
---|---|
Hot News
|
6 |
High
|
3 |
Medium
|
6 |
Note | Description | Severity | CVSS |
---|---|---|---|
2985866 | [Multiple CVE IDs] Missing
Authentication Check in SAP Solution Manager (JAVA stack)CVE IDs
- CVE-2020-26821, CVE-2020-26822, CVE-2020-26823, CVE-2020-26824 Product - SAP Solution Manager (JAVA stack), Version - 7.2 |
Hot News
|
10 |
2890213 | Update to security note
released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution
Manager Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 |
Hot News
|
10 |
2982840 | Multiple Vulnerabilities
in SAP Data ServicesRelated CVEs - CVE-2019-0230, CVE-2019-0233 Product - SAP Data Services, Versions - 4.2 |
Hot News
|
9.8 |
2973735 | [CVE-2020-26808] Code
Injection in SAP AS ABAP and S/4 HANA (DMIS) Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 Product - SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105 |
Hot News
|
9.1 |
2979062 | [CVE-2020-26820] Privilege
escalation in SAP NetWeaver Application Server for Java (UDDI Server) Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50 |
Hot News
|
9.1 |
2928635 | Update to security note
released on August 2020 Patch Day:[CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge
Management) Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50 |
Hot News
|
9 |
2984627 | [CVE-2020-26815] Information Disclosure in SAP Fiori Launchpad (NewsTile Application) Product - SAP Fiori Launchpad (News Tile Application), Versions - 750,751,752,753,754,755 |
High
|
8.6 |
2975189 | [CVE-2020-26809] Information Disclosure in SAP Commerce Cloud Product - SAP Commerce Cloud, Versions - 1808,1811,1905,2005 |
High
|
7.5 |
2975170 | [CVE-2020-26810] Multiple
Vulnerabilities in SAP Commerce Cloud (Accelerator Payment Mock)Additional CVE ID
- CVE-2020-26811 Product - SAP Commerce Cloud (Accelerator Payment Mock), Versions - 1808, 1811, 1905, 2005 |
High
|
7.5 |
2971954 | [CVE-2020-26818] Multiple
vulnerabilities in SAP NetWeaver AS ABAPAdditional CVE ID - CVE-2020-26819 Product - SAP NetWeaver AS ABAP, Versions - 731, 740, 750, 751, 752, 753, 754, 755, 782 |
Medium
|
6.5 |
2951325 | Update to security note
released on September 2020 Patch Day:[CVE-2020-6311] Improper Authorization Checks in Banking services
from SAP Bank Analyzer and SAP S/4HANA Financial Products Product - BANKING SERVICES FROM SAP 9.0(Bank Analyzer), Version - 500 Product - S/4HANA FIN PROD SUBLDGR, Version - 100 |
Medium
|
6.5 |
2952084 | [CVE-2020-26814] Information Disclosure in SAP Process Integration (PGP Module –
Business-to-Business Add On) Product - SAP Process Integration (PGP Module – Business-to-Business Add On), Version - 1.0 |
Medium
|
4.9 |
2971112 | [CVE-2020-26807] Incorrect
Default Permissions in SAP ERP Client for E-Bilanz 1.0 Product - SAP ERP Client for E-Bilanz 1.0, Version - 1.0 |
Medium
|
4.4 |
2944188 | [CVE-2020-6316] Missing
Authorization Check in SAP ERP and SAP S/4 HANA Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618 Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104 |
Medium
|
4.3 |
2985094 | [CVE-2020-26817] Improper
input validation in Visual Enterprise Viewer Product - SAP 3D Visual Enterprise Viewer, Versions - 9 |
Medium
|
4.3 |