This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 10th of November 2020, SAP Security Patch Day saw the release of 12 Security Notes. There were 3 updates to previously released Patch Day Security Notes.
List of security notes released on November Patch Day:
| Note# | Title | Priority | CVSS |
| 2985866 | [Multiple CVE IDs] Missing Authentication Check in SAP Solution Manager (JAVA stack) CVE IDs - CVE-2020-26821, CVE-2020-26822, CVE-2020-26823, CVE-2020-26824 Product - SAP Solution Manager (JAVA stack), Version - 7.2 | Hot News | 10 |
| 2890213 | Update to security note released on March 2020 Patch Day: [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 | Hot News | 10 |
| 2982840 | Multiple Vulnerabilities in SAP Data Services Related CVEs - CVE-2019-0230, CVE-2019-0233 Product - SAP Data Services, Versions - 4.2 | Hot News | 9.8 |
| 2973735 | [CVE-2020-26808] Code Injection in SAP AS ABAP and S/4 HANA (DMIS) Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 Product - SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105 | Hot News | 9.1 |
| 2979062 | [CVE-2020-26820] Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server) Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50 | Hot News | 9.1 |
| 2928635 | Update to security note released on August 2020 Patch Day: [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management) Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50 | Hot News | 9 |
| 2984627 | [CVE-2020-26815] Security Vulnerabilities in SAP Fiori Launchpad (NewsTile Application) | High | 8.6 |
| 2975189 | [CVE-2020-26809] Information Disclosure in SAP Commerce Cloud | High | 7.5 |
| 2975170 | [CVE-2020-26810] Multiple Vulnerabilities in SAP Commerce Cloud (Accelerator Payment Mock) Additional CVE ID - CVE-2020-26811 Product - SAP Commerce Cloud (Accelerator Payment Mock), Versions - 1808, 1811, 1905, 2005 | High | 7.5 |
| 2971954 | [CVE-2020-26818] Multiple vulnerabilities in SAP NetWeaver AS ABAP (Web Dynpro) Additional CVE ID - CVE-2020-26819 Product - SAP NetWeaver AS ABAP, Versions - 731, 740, 750, 751, 752, 753, 754, 755, 782 | Medium | 6.5 |
| 2951325 | Update to security note released on September 2020 Patch Day: [CVE-2020-6311] Improper Authorization Checks in Banking services from SAP Bank Analyzer and SAP S/4HANA Financial Products Product - BANKING SERVICES FROM SAP 9.0(Bank Analyzer), Version - 500 Product - S/4HANA FIN PROD SUBLDGR, Version - 100 | Medium | 6.5 |
| 2952084 | [CVE-2020-26814] Information Disclosure in SAP Process Integration (PGP Module – Business-to-Business Add On) Product - SAP Process Integration (PGP Module – Business-to-Business Add On), Version - 1.0 | Medium | 4.9 |
| 2971112 | [CVE-2020-26807] Incorrect Default Permissions in SAP ERP Client for E-Bilanz 1.0 Product - SAP ERP Client for E-Bilanz 1.0, Version - 1.0 | Medium | 4.4 |
| 2944188 | [CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618 Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104 | Medium | 4.3 |
| 2985094 | [CVE-2020-26817] Improper input validation in Visual Enterprise Viewer Product - SAP 3D Visual Enterprise Viewer, Versions - 9 | Medium | 4.3 |
, ________________________________________________________________________________
Vulnerability Type Distribution - November 2020
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (June 2020 – November 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after October 13, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'October 14, 2020 - November 10, 2020' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.