This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 8th of December 2020, SAP Security Patch Day saw the release of 11 Security Notes. There were 2 updates to previously released Patch Day Security Notes.
List of security notes released on December Patch Day:
|2974774||[CVE-2020-26829] Missing Authentication Check In SAP NetWeaver AS JAVA (P2P Cluster Communication)|
Product - SAP NetWeaver AS JAVA (P2P Cluster Communication), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
|2989075||[CVE-2020-26831] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Report)|
Product - SAP BusinessObjects BI Platform (Crystal Report), Versions - 4.1, 4.2, 4.3
|2983367||[CVE-2020-26838] Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW4HANA|
Product - SAP Business Warehouse, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782
Product - SAP BW4HANA, Versions - 100, 200
|2973735||Update to security note released on November 2020 Patch Day:|
[CVE-2020-26808] Code Injection in SAP AS ABAP and S/4 HANA (DMIS)
Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105
|2983204||[CVE-2020-26837] Path traversal and Missing Authorization check in SAP Solution Manager 7.2 (User Experience Monitoring)|
Additional CVE: CVE-2020-26830
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.20
|2993132||[CVE-2020-26832] Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation)|
Product - SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105
|2974330||[CVE-2020-26826] Unrestricted File Upload vulnerability in SAP NetWeaver Application Server for Java (Process Integration Monitoring)|
Product - SAP NetWeaver Application Server for Java, Versions - 7.31, 7.40, 7.50
|2971180||[CVE-2020-26828] Formula Injection in SAP Disclosure Management|
Product - SAP Disclosure Management, Version - 10.1
|2971163||[CVE-2020-26816] Missing Encryption in SAP NetWeaver AS Java (Key Storage Service)|
Product - SAP NetWeaver AS JAVA (Key Storage Service), Versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50
|2996479||[CVE-2020-26835] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP|
Product - SAP NetWeaver AS ABAP, Versions - 740, 750, 751, 752, 753, 754
|2843016||Update to security note released on November 2019 Patch Day:|
[CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler
Product - SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54
Product - SAP UI 700, Version - 2.0
|2978768||[CVE-2020-26834] Improper authentication in SAP HANA database|
Product - SAP HANA Database, Version - 2.0
|2938650||[CVE-2020-26836] Open Redirect in SAP Solution Manager (Trace Analysis)|
Product - SAP Solution Manager (Trace Analysis), Version - 7.20
Vulnerability Type Distribution - December 2020
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (July 2020 – December 2020)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after November 10, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'November 11, 2020 - December 8, 2020' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.