SAP Patches Several Critical Vulnerabilities With November 2020 Security Updates
SAP’s safety updates for November 2020 patch a number of important vulnerabilities affecting the corporate’s Answer Supervisor (SolMan), Knowledge Companies, ABAP, S4/HANA, and NetWeaver merchandise.
Because the earlier Patch Day, SAP launched a complete of 19 new and up to date safety notes. Six of the notes have been assigned a scorching information (important) precedence score, together with 4 new notes and two beforehand launched patches that have been up to date.
One of many scorching information patches resolves a complete of 4 vulnerabilities associated to lacking authentication checks in SolMan, which gives a central administration interface for SAP and non-SAP techniques. An unauthenticated attacker might exploit these flaws — they’re tracked as CVE-2020-26821, CVE-2020-26822, CVE-2020-26823 and CVE-2020-26824 — to compromise the focused system.
SAP has additionally up to date a earlier scorching information safety be aware that addressed a lacking authentication test in SolMan.
“We have now as soon as extra seen that Answer Supervisor will preserve safety directors busy, due to its central position within the system panorama and the criticality of the newly detected vulnerabilities,” stated Onapsis, an organization that makes a speciality of securing business-critical functions.
Onapsis has revealed a weblog put up describing this month’s patches, a few of which repair vulnerabilities discovered by the corporate’s personal researchers.
One other scorching information patch addresses two vulnerabilities in SAP Knowledge Companies. These flaws have been disclosed final 12 months and so they affect Apache Struts. Exploitation can result in distant code execution and a denial-of-service (DoS) situation, respectively.
A code injection vulnerability affecting SAP AS ABAP and S/four HANA (CVE-2020-26808) and a privilege escalation concern in SAP NetWeaver Utility Server for Java (CVE-2020-26820) have additionally been rated scorching information.
Three of the brand new patches tackle high-severity vulnerabilities, together with server-side request forgery (SSRF) and mirrored cross-site scripting (XSS) points in SAP Fiori Launchpad, an info disclosure concern in SAP Commerce Cloud, and DoS and SSRF bugs in Commerce Cloud.
Medium-severity flaws have been resolved in NetWeaver, Financial institution Analyzer, S/four HANA Monetary Merchandise, SAP Course of Integration, ERP Consumer for E-Bilanz, and Visible Enterprise Viewer.
Associated: SAP Patches Crucial Vulnerability in CA Introscope Enterprise Supervisor
Associated: Crucial Entry Management Vulnerability Patched in SAP Advertising
Associated: SAP Releases August 2020 Safety Updates
Associated: Open Supply Device Checks SAP Programs for RECON Assault IOCs
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in laptop strategies utilized in electrical engineering.
Earlier Columns by Eduard Kovacs:
patch tuesday september 2020,patch tuesday schedule 2020,windows patch tuesday review,patch tuesday news,ivanti patch review,ivanti security controls training