SAP Security Patch Day – November 2020
Winter is coming. While the weather is getting cold outside the SAP Security Experts seem to be on fire. Today, like every second Tuesday of a month, 10th November 2020, SAP SE released 15 security patches for its vast product portfolio. While 3 previous patches received an update 12 new Security Notes got released in November.
What is an SAP Note?
SAP patches are provided in the form of so-called Notes. These Notes are accessible for licensed customers via the online SAP SE support platform. Any SAP Note is structured in sections: Symptoms, Reason, Prerequisites, and Solution. For security notes, one can find also the CVSS-section, describing the Common Vulnerability Scoring System (v3.0). Furthermore, a Note contains the two more sections, Software Components and Support Package Patches. While the Software Components section contains a listing of the impacted product(s) and version(s), the Support Package Patches provide information as of which version (and patch level) the vulnerability has been resolved.
Highlights of the Release
As a pre-word to the highlights section. We strongly encourage you to carefully review the patches released by the manufacturer. Whenever you can, apply the described solution instructions. A few days after Patch Tuesday we are going to provide additional information on our Advisory (abex.io/advisory) site.
We see 6 patches residing in the category “Hot News”. 3 are classified as “High” and 6 with severity “Medium”.
Note 2985866 and 2890213 are relevant for all customers running SAP Solution Manager 7.2 and a specific Support Package Patch level. According to our experts, those are severe vulnerabilities that need customer attention. We recommend you to install the patch adding the missing authentication check.
Note 2982840 fixes two vulnerabilities in the SAP Data Services. The name SAP Data Services is used for an entire family of products living in the ETL solution area. The first is classified with CVSS 9.8, allowing attackers to execute code remotely (RCE). The second part is removing the risk for Denial of Service attacks. We recommend you to upgrade the component to the corresponding Support Packages referenced by this SAP Security Note.
With a CVSS base score of 9.1, Note 2979062 addresses a Privilege escalation flaw in the UDDI Server of SAP NetWeaver Application Server JAVA. UDDI stands for Universal Description Discovery and Integration and is based on UDDI v3.0. The UDDI Project is an industry initiative that aims to enable businesses to quickly, easily, and dynamically find and carry out transactions with one another.
Summary by Severity
The November release contains a total of 15 patches for the following severities:
|2985866||[Multiple CVE IDs] Missing
Authentication Check in SAP Solution Manager (JAVA stack)CVE IDs
- CVE-2020-26821, CVE-2020-26822, CVE-2020-26823, CVE-2020-26824|
Product - SAP Solution Manager (JAVA stack), Version - 7.2
|2890213||Update to security note
released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2
in SAP Data ServicesRelated CVEs - CVE-2019-0230, CVE-2019-0233|
Product - SAP Data Services, Versions - 4.2
Injection in SAP AS ABAP and S/4 HANA (DMIS)|
Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105
escalation in SAP NetWeaver Application Server for Java (UDDI Server)|
Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
|2928635||Update to security note
released on August 2020 Patch Day:[CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge
Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50
|2984627||[CVE-2020-26815] Information Disclosure in SAP Fiori Launchpad (NewsTile Application)|
Product - SAP Fiori Launchpad (News Tile Application), Versions - 750,751,752,753,754,755
|2975189||[CVE-2020-26809] Information Disclosure in SAP Commerce Cloud|
Product - SAP Commerce Cloud, Versions - 1808,1811,1905,2005
Vulnerabilities in SAP Commerce Cloud (Accelerator Payment Mock)Additional CVE ID
Product - SAP Commerce Cloud (Accelerator Payment Mock), Versions - 1808, 1811, 1905, 2005
vulnerabilities in SAP NetWeaver AS ABAPAdditional CVE ID - CVE-2020-26819|
Product - SAP NetWeaver AS ABAP, Versions - 731, 740, 750, 751, 752, 753, 754, 755, 782
|2951325||Update to security note
released on September 2020 Patch Day:[CVE-2020-6311] Improper Authorization Checks in Banking services
from SAP Bank Analyzer and SAP S/4HANA Financial Products|
Product - BANKING SERVICES FROM SAP 9.0(Bank Analyzer), Version - 500
Product - S/4HANA FIN PROD SUBLDGR, Version - 100
|2952084||[CVE-2020-26814] Information Disclosure in SAP Process Integration (PGP Module –
Business-to-Business Add On)|
Product - SAP Process Integration (PGP Module – Business-to-Business Add On), Version - 1.0
Default Permissions in SAP ERP Client for E-Bilanz 1.0|
Product - SAP ERP Client for E-Bilanz 1.0, Version - 1.0
Authorization Check in SAP ERP and SAP S/4 HANA|
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104
input validation in Visual Enterprise Viewer|
Product - SAP 3D Visual Enterprise Viewer, Versions - 9