SAP Security Notes Review: November 2020

sap security notes nov20

Share This Post

SAP’s security patch day for November 2020 has seen the release of 11 OSS SAP security notes and 2 updates to existing notes. 0 OSS notes have been classified as low, 5 OSS notes have been classified as medium, 3 OSS notes have been classified as high and 5 as critical, based on CVSS v3.0 Rating.

 

SAP Security Notes Nov 20

 

2 OSS notes have been found this month for SAP Commerce and SAP Solution Manager.  Single notes have been released for SAP NetWeaver AS ABAP, SAP NetWeaver AS JAVA, SAP Process Integration, SAP 3D Visual Enterprise Viewer, SAP Fiori, SAP Business Client, SAP Data Services, SAP ERP Client for E-Bilanz 1.0 and SAP ERP

 

SAP Security Notes Nov 20.png

 

 

Vulnerabilities: November 2020 Highlights

 

[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA (SAP Note 2944188)

SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which they have no authorization in PS reporting This can happen when a user has got authorization to only a part of a project and carries out a certain reporting transaction to which costs are shown.

 

[CVE-2020-26820] Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server) (SAP Note 2979062)

The UDDI Server of SAP NetWeaver Application Server for Java allows an attacker to execute arbitrary OS commands without having the required permissions, known as escalation of privileges vulnerability. Potential impact is total compromise of confidentiality, integrity and availability of server OS.

 

[CVE-2020-26818] Multiple vulnerabilities in SAP NetWeaver AS ABAP (Web Dynpro) (SAP Note 2971954)

This SAP security note addresses multiple vulnerabilities identified in WebDynpro component of SAP NetWeaver AS ABAP. Firstly, SAP NetWeaver AS ABAP allows an authenticated user access to WebDynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users. Secondly, SAP NetWeaver AS ABAP can allow an authenticated user access to WebDynpro components, that allows them to read and modify database logfiles.

 

About this review

On the second Tuesday of each month, SAP release security updates to their software products.  At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

 

Search by a topic below...

Read our latest articles...

Didn’t find what you are looking for? Send us your questions.

We are here to help.
Colleagues at work at Absoft SAP Consultancy