Child pages
  • SAP Security Patch Day – November 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 10th of November 2020, SAP Security Patch Day saw the release of 12 Security Notes. There were 3 updates to previously released Patch Day Security Notes.

List of security notes released on November Patch Day:

Note#TitlePriorityCVSS
2985866[Multiple CVE IDs] Missing Authentication Check in SAP Solution Manager (JAVA stack)
CVE IDs - CVE-2020-26821, CVE-2020-26822CVE-2020-26823CVE-2020-26824
Product - SAP Solution Manager (JAVA stack), Version - 7.2
Hot News10
2890213Update to security note released on March 2020 Patch Day:
[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager
Product - SAP Solution Manager (User Experience Monitoring), Version 7.2 
Hot News10
2982840Multiple Vulnerabilities in SAP Data Services
Related CVEs - CVE-2019-0230CVE-2019-0233
Product - SAP Data Services, Versions - 4.2
Hot News9.8
2973735[CVE-2020-26808] Code Injection in SAP AS ABAP and S/4 HANA (DMIS)
Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105
Hot News9.1
2979062[CVE-2020-26820] Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server)
Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
Hot News9.1
2928635Update to security note released on August 2020 Patch Day:
[CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50  
Hot News9
2984627

[CVE-2020-26815] Security Vulnerabilities in SAP Fiori Launchpad (NewsTile Application)
Additional CVE ID - CVE-2020-26825
Product - SAP Fiori Launchpad (News Tile Application), Versions - 750,751,752,753,754,755

High8.6
2975189

[CVE-2020-26809] Information Disclosure in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - 1808,1811,1905,2005

High7.5
2975170[CVE-2020-26810] Multiple Vulnerabilities in SAP Commerce Cloud (Accelerator Payment Mock)
Additional CVE ID - CVE-2020-26811
Product - SAP Commerce Cloud (Accelerator Payment Mock), Versions - 1808, 1811, 1905, 2005
High7.5
2971954[CVE-2020-26818] Multiple vulnerabilities in SAP NetWeaver AS ABAP (Web Dynpro)
Additional CVE ID - CVE-2020-26819
Product - SAP NetWeaver AS ABAP, Versions - 731, 740, 750, 751, 752, 753, 754, 755, 782
Medium6.5
2951325Update to security note released on September 2020 Patch Day:
[CVE-2020-6311] Improper Authorization Checks in Banking services from SAP Bank Analyzer and SAP S/4HANA Financial Products
Product - BANKING SERVICES FROM SAP 9.0(Bank Analyzer), Version - 500
Product - S/4HANA FIN PROD SUBLDGR, Version - 100
Medium6.5
2952084[CVE-2020-26814] Information Disclosure in SAP Process Integration (PGP Module – Business-to-Business Add On)
Product - SAP Process Integration (PGP Module – Business-to-Business Add On), Version - 1.0
Medium4.9
2971112[CVE-2020-26807] Incorrect Default Permissions in SAP ERP Client for E-Bilanz 1.0
Product - SAP ERP Client for E-Bilanz 1.0, Version - 1.0
Medium4.4
2944188[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104

Medium4.3
2985094[CVE-2020-26817] Improper input validation in Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Versions - 9
Medium4.3

, ________________________________________________________________________________

Vulnerability Type Distribution -  November 2020

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (June 2020 – November 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after October 13, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'October 14, 2020 - November 10, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels