Skip to content

SAP Security Patch Day – November 2020

SAP security Patch day

Winter is coming. While the weather is getting cold outside the SAP Security Experts seem to be on fire. Today, like every second Tuesday of a month, 10th November 2020, SAP SE released 15 security patches for its vast product portfolio. While 3 previous patches received an update 12 new Security Notes got released in November.

What is an SAP Note?

SAP patches are provided in the form of so-called Notes. These Notes are accessible for licensed customers via the online SAP SE support platform. Any SAP Note is structured in sections: Symptoms, Reason,  Prerequisites, and Solution. For security notes, one can find also the CVSS-section, describing the Common Vulnerability Scoring System (v3.0). Furthermore, a Note contains the two more sections, Software Components and Support Package Patches. While the Software Components section contains a listing of the impacted product(s) and version(s), the Support Package Patches provide information as of which version (and patch level) the vulnerability has been resolved.

Highlights of the Release

As a pre-word to the highlights section. We strongly encourage you to carefully review the patches released by the manufacturer. Whenever you can, apply the described solution instructions. A few days after Patch Tuesday we are going to provide additional information on our Advisory (abex.io/advisory) site.

We see 6 patches residing in the category “Hot News”. 3 are classified as “High” and 6 with severity “Medium”.

Note 2985866 and 2890213 are relevant for all customers running SAP Solution Manager 7.2 and a specific Support Package Patch level. According to our experts, those are severe vulnerabilities that need customer attention. We recommend you to install the patch adding the missing authentication check.

Note 2982840 fixes two vulnerabilities in the SAP Data Services. The name SAP Data Services is used for an entire family of products living in the ETL solution area. The first is classified with CVSS 9.8, allowing attackers to execute code remotely (RCE). The second part is removing the risk for Denial of Service attacks. We recommend you to upgrade the component to the corresponding Support Packages referenced by this SAP Security Note.

With a CVSS base score of 9.1, Note 2979062 addresses a Privilege escalation flaw in the UDDI Server of SAP NetWeaver Application Server JAVA. UDDI stands for Universal Description Discovery and Integration and is based on UDDI v3.0. The UDDI Project is an industry initiative that aims to enable businesses to quickly, easily, and dynamically find and carry out transactions with one another.

Summary by Severity

The November release contains a total of 15 patches for the following severities:

SeverityNumber
Hot News
6
High
3
Medium
6
NoteDescriptionSeverityCVSS
2985866 [Multiple CVE IDs] Missing Authentication Check in SAP Solution Manager (JAVA stack)CVE IDs - CVE-2020-26821, CVE-2020-26822, CVE-2020-26823, CVE-2020-26824
Product - SAP Solution Manager (JAVA stack), Version - 7.2
Hot News
10
2890213 Update to security note released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 
Hot News
10
2982840 Multiple Vulnerabilities in SAP Data ServicesRelated CVEs - CVE-2019-0230, CVE-2019-0233
Product - SAP Data Services, Versions - 4.2
Hot News
9.8
2973735 [CVE-2020-26808] Code Injection in SAP AS ABAP and S/4 HANA (DMIS)
Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105
Hot News
9.1
2979062 [CVE-2020-26820] Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server)
Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
Hot News
9.1
2928635 Update to security note released on August 2020 Patch Day:[CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50  
Hot News
9
2984627 [CVE-2020-26815] Information Disclosure in SAP Fiori Launchpad (NewsTile Application)
Product - SAP Fiori Launchpad (News Tile Application), Versions - 750,751,752,753,754,755
High
8.6
2975189 [CVE-2020-26809] Information Disclosure in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - 1808,1811,1905,2005
High
7.5
2975170 [CVE-2020-26810] Multiple Vulnerabilities in SAP Commerce Cloud (Accelerator Payment Mock)Additional CVE ID - CVE-2020-26811
Product - SAP Commerce Cloud (Accelerator Payment Mock), Versions - 1808, 1811, 1905, 2005
High
7.5
2971954 [CVE-2020-26818] Multiple vulnerabilities in SAP NetWeaver AS ABAPAdditional CVE ID - CVE-2020-26819
Product - SAP NetWeaver AS ABAP, Versions - 731, 740, 750, 751, 752, 753, 754, 755, 782
Medium
6.5
2951325 Update to security note released on September 2020 Patch Day:[CVE-2020-6311] Improper Authorization Checks in Banking services from SAP Bank Analyzer and SAP S/4HANA Financial Products
Product - BANKING SERVICES FROM SAP 9.0(Bank Analyzer), Version - 500
Product - S/4HANA FIN PROD SUBLDGR, Version - 100
Medium
6.5
2952084 [CVE-2020-26814] Information Disclosure in SAP Process Integration (PGP Module – Business-to-Business Add On)
Product - SAP Process Integration (PGP Module – Business-to-Business Add On), Version - 1.0
Medium
4.9
2971112 [CVE-2020-26807] Incorrect Default Permissions in SAP ERP Client for E-Bilanz 1.0
Product - SAP ERP Client for E-Bilanz 1.0, Version - 1.0
Medium
4.4
2944188 [CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104
Medium
4.3
2985094 [CVE-2020-26817] Improper input validation in Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Versions - 9
Medium
4.3

Source

Posted by

Christoph Nagy
SAP Security Comparison Report

Download the Product Comparison Report and understand that holistic security for SAP can be delivered by a single solution.

Find recent Security Advisories for SAP©
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.