This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 10th of November 2020, SAP Security Patch Day saw the release of 12 Security Notes. There were 3 updates to previously released Patch Day Security Notes.
List of security notes released on November Patch Day:
|2985866||[Multiple CVE IDs] Missing Authentication Check in SAP Solution Manager (JAVA stack)|
CVE IDs - CVE-2020-26821, CVE-2020-26822, CVE-2020-26823, CVE-2020-26824
Product - SAP Solution Manager (JAVA stack), Version - 7.2
|2890213||Update to security note released on March 2020 Patch Day:|
[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2
|2982840||Multiple Vulnerabilities in SAP Data Services|
Related CVEs - CVE-2019-0230, CVE-2019-0233
Product - SAP Data Services, Versions - 4.2
|2973735||[CVE-2020-26808] Code Injection in SAP AS ABAP and S/4 HANA (DMIS)|
Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105
|2979062||[CVE-2020-26820] Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server)|
Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
|2928635||Update to security note released on August 2020 Patch Day:|
[CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50
[CVE-2020-26815] Security Vulnerabilities in SAP Fiori Launchpad (NewsTile Application)
[CVE-2020-26809] Information Disclosure in SAP Commerce Cloud
|2975170||[CVE-2020-26810] Multiple Vulnerabilities in SAP Commerce Cloud (Accelerator Payment Mock)|
Additional CVE ID - CVE-2020-26811
Product - SAP Commerce Cloud (Accelerator Payment Mock), Versions - 1808, 1811, 1905, 2005
|2971954||[CVE-2020-26818] Multiple vulnerabilities in SAP NetWeaver AS ABAP (Web Dynpro)|
Additional CVE ID - CVE-2020-26819
Product - SAP NetWeaver AS ABAP, Versions - 731, 740, 750, 751, 752, 753, 754, 755, 782
|2951325||Update to security note released on September 2020 Patch Day:|
[CVE-2020-6311] Improper Authorization Checks in Banking services from SAP Bank Analyzer and SAP S/4HANA Financial Products
Product - BANKING SERVICES FROM SAP 9.0(Bank Analyzer), Version - 500
Product - S/4HANA FIN PROD SUBLDGR, Version - 100
|2952084||[CVE-2020-26814] Information Disclosure in SAP Process Integration (PGP Module – Business-to-Business Add On)|
Product - SAP Process Integration (PGP Module – Business-to-Business Add On), Version - 1.0
|2971112||[CVE-2020-26807] Incorrect Default Permissions in SAP ERP Client for E-Bilanz 1.0|
Product - SAP ERP Client for E-Bilanz 1.0, Version - 1.0
|2944188||[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA|
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104
|2985094||[CVE-2020-26817] Improper input validation in Visual Enterprise Viewer|
Product - SAP 3D Visual Enterprise Viewer, Versions - 9
Vulnerability Type Distribution - November 2020
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (June 2020 – November 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after October 13, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'October 14, 2020 - November 10, 2020' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.