Child pages
  • SAP Security Patch Day – December 2020
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 8th of December 2020, SAP Security Patch Day saw the release of 11 Security Notes. There were 2 updates to previously released Patch Day Security Notes.

List of security notes released on December Patch Day:

Note#TitlePriorityCVSS
2974774[CVE-2020-26829] Missing Authentication Check In SAP NetWeaver AS JAVA (P2P Cluster Communication)
Product - SAP NetWeaver AS JAVA (P2P Cluster Communication), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Hot News10
2989075[CVE-2020-26831] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
Product - SAP BusinessObjects BI Platform (Crystal Report), Versions - 4.1, 4.2, 4.3
Hot News9.6
2983367[CVE-2020-26838] Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782
Product - SAP BW4HANA, Versions - 100, 200
Hot News9.1
2973735Update to security note released on November 2020 Patch Day:
[CVE-2020-26808] Code Injection in SAP AS ABAP and S/4 HANA (DMIS)
Product - SAP AS ABAP(DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105
Hot News9.1
2983204[CVE-2020-26837] Path traversal and Missing Authorization check in SAP Solution Manager 7.2 (User Experience Monitoring)
Additional CVE: CVE-2020-26830
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.20
High8.5
2993132[CVE-2020-26832] Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation)
Product - SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105 
High7.6
2974330[CVE-2020-26826] Unrestricted File Upload vulnerability in SAP NetWeaver Application Server for Java (Process Integration Monitoring)
Product - SAP NetWeaver Application Server for Java, Versions - 7.31, 7.40, 7.50 
Medium6.5
2971180[CVE-2020-26828] Formula Injection in SAP Disclosure Management
Product - SAP Disclosure Management, Version - 10.1
Medium5.4
2971163[CVE-2020-26816] Missing Encryption in SAP NetWeaver AS Java (Key Storage Service)
Product - SAP NetWeaver AS JAVA (Key Storage Service), Versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50 
Medium5.4
2996479[CVE-2020-26835] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP
Product - SAP NetWeaver AS ABAP, Versions - 740, 750, 751, 752, 753, 754
Medium5.3
2843016Update to security note released on November 2019 Patch Day:
[CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler
Product - SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54
Product - SAP UI 700, Version - 2.0

Medium4.3
2978768[CVE-2020-26834] Improper authentication in SAP HANA database
Product - SAP HANA Database, Version - 2.0
Medium4.2
2938650[CVE-2020-26836] Open Redirect in SAP Solution Manager (Trace Analysis)
Product - SAP Solution Manager (Trace Analysis), Version - 7.20
Low3.4


, ________________________________________________________________________________

Vulnerability Type Distribution -  December 2020

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (July 2020 – December 2020)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after November 10, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'November 11, 2020 - December 8, 2020' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels