SAP Security Patch Day – November 2020

SAP security Patch day

Winter is coming. While the weather is getting cold outside the SAP Security Experts seem to be on fire. Today, like every second Tuesday of a month, 10th November 2020, SAP SE released 15 security patches for its vast product portfolio. While 3 previous patches received an update 12 new Security Notes got released in November.

What is an SAP Note?

SAP patches are provided in the form of so-called Notes. These Notes are accessible for licensed customers via the online SAP SE support platform. Any SAP Note is structured in sections: Symptoms, Reason,  Prerequisites, and Solution. For security notes, one can find also the CVSS-section, describing the Common Vulnerability Scoring System (v3.0). Furthermore, a Note contains the two more sections, Software Components and Support Package Patches. While the Software Components section contains a listing of the impacted product(s) and version(s), the Support Package Patches provide information as of which version (and patch level) the vulnerability has been resolved.

Highlights of the Release

As a pre-word to the highlights section. We strongly encourage you to carefully review the patches released by the manufacturer. Whenever you can, apply the described solution instructions. A few days after Patch Tuesday we are going to provide additional information on our Advisory (abex.io/advisory) site.

We see 6 patches residing in the category “Hot News”. 3 are classified as “High” and 6 with severity “Medium”.

Note 2985866 and 2890213 are relevant for all customers running SAP Solution Manager 7.2 and a specific Support Package Patch level. According to our experts, those are severe vulnerabilities that need customer attention. We recommend you to install the patch adding the missing authentication check.

Note 2982840 fixes two vulnerabilities in the SAP Data Services. The name SAP Data Services is used for an entire family of products living in the ETL solution area. The first is classified with CVSS 9.8, allowing attackers to execute code remotely (RCE). The second part is removing the risk for Denial of Service attacks. We recommend you to upgrade the component to the corresponding Support Packages referenced by this SAP Security Note.

With a CVSS base score of 9.1, Note 2979062 addresses a Privilege escalation flaw in the UDDI Server of SAP NetWeaver Application Server JAVA. UDDI stands for Universal Description Discovery and Integration and is based on UDDI v3.0. The UDDI Project is an industry initiative that aims to enable businesses to quickly, easily, and dynamically find and carry out transactions with one another.

Summary by Severity

The November release contains a total of 15 patches for the following severities:

Severity Number
Hot News
6
High
3
Medium
6
Note Description Severity CVSS
2985866 [Multiple CVE IDs] Missing Authentication Check in SAP Solution Manager (JAVA stack)CVE IDs - CVE-2020-26821, CVE-2020-26822, CVE-2020-26823, CVE-2020-26824
Product - SAP Solution Manager (JAVA stack), Version - 7.2
Hot News
10
2890213 Update to security note released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 
Hot News
10
2982840 Multiple Vulnerabilities in SAP Data ServicesRelated CVEs - CVE-2019-0230, CVE-2019-0233
Product - SAP Data Services, Versions - 4.2
Hot News
9.8
2973735 [CVE-2020-26808] Code Injection in SAP AS ABAP and S/4 HANA (DMIS)
Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105
Hot News
9.1
2979062 [CVE-2020-26820] Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server)
Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
Hot News
9.1
2928635 Update to security note released on August 2020 Patch Day:[CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50  
Hot News
9
2984627 [CVE-2020-26815] Information Disclosure in SAP Fiori Launchpad (NewsTile Application)
Product - SAP Fiori Launchpad (News Tile Application), Versions - 750,751,752,753,754,755
High
8.6
2975189 [CVE-2020-26809] Information Disclosure in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - 1808,1811,1905,2005
High
7.5
2975170 [CVE-2020-26810] Multiple Vulnerabilities in SAP Commerce Cloud (Accelerator Payment Mock)Additional CVE ID - CVE-2020-26811
Product - SAP Commerce Cloud (Accelerator Payment Mock), Versions - 1808, 1811, 1905, 2005
High
7.5
2971954 [CVE-2020-26818] Multiple vulnerabilities in SAP NetWeaver AS ABAPAdditional CVE ID - CVE-2020-26819
Product - SAP NetWeaver AS ABAP, Versions - 731, 740, 750, 751, 752, 753, 754, 755, 782
Medium
6.5
2951325 Update to security note released on September 2020 Patch Day:[CVE-2020-6311] Improper Authorization Checks in Banking services from SAP Bank Analyzer and SAP S/4HANA Financial Products
Product - BANKING SERVICES FROM SAP 9.0(Bank Analyzer), Version - 500
Product - S/4HANA FIN PROD SUBLDGR, Version - 100
Medium
6.5
2952084 [CVE-2020-26814] Information Disclosure in SAP Process Integration (PGP Module – Business-to-Business Add On)
Product - SAP Process Integration (PGP Module – Business-to-Business Add On), Version - 1.0
Medium
4.9
2971112 [CVE-2020-26807] Incorrect Default Permissions in SAP ERP Client for E-Bilanz 1.0
Product - SAP ERP Client for E-Bilanz 1.0, Version - 1.0
Medium
4.4
2944188 [CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104
Medium
4.3
2985094 [CVE-2020-26817] Improper input validation in Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Versions - 9
Medium
4.3

Source

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
SAP Security Comparison Report

Download the Product Comparison Report and understand that holistic security for SAP can be delivered by a single solution.

Find recent Security Advisories for SAP©
Webinar SAP patch
The webinar, taking place on 05.10.2022, is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.