The United States Computer Emergency Readiness Team (US-CERT) announced on November 10 (US time) in “SAP Releases November 2020 Security Updates | CISA” that SAP released a monthly security patch for November 2020.
This release contains a total of 15 security-related fixes, including authentication check flaw vulnerabilities, code injection vulnerabilities, and privilege escalation vulnerabilities. If these vulnerabilities are left unattended, there is a risk of damage such as stealing confidential information, executing arbitrary code, and taking over control of the system.
On the second Tuesday of every month, SAP releases a security note about vulnerabilities found in its products as “SAP Security Patch Day.” Information about the security notes released at SAP Security Patch Day in November 2020 is summarized on the next page.
- SAP Security Patch Day – November 2020 – Product Security Response at SAP – Community Wiki
Of the 15 vulnerabilities on the list, the next 6 are classified as the highest priority “Hot News”.
- [CVE-2020-26821, CVE-2020-26822, CVE-2020-26823, CVE-2020-26824] Insufficient authentication check in SAP Solution Manager (JAVA stack)
- [CVE-2020-6207] Insufficient authentication check in SAP Solution Manager (User Experience Monitoring)
- [CVE-2019-0230, CVE-2019-0233] Multiple vulnerabilities in SAP Data Services
- [CVE-2020-26808] Code injection vulnerabilities in SAP AS ABAP and SAP S4 HANA (DMIS)
- [CVE-2020-26820] Privilege elevation vulnerability in SAP NetWeaver AS JAVA
- [CVE-2020-6284] Cross-site scripting (XSS) vulnerability in SAP NetWeaver (Knowledge Management)