W dniu 8 grudnia firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 11 nowych poprawek w tym 4 jest krytycznych.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note# Title Priority CVSS
2974774 [CVE-2020-26829Missing Authentication Check In SAP NetWeaver AS JAVA (P2P Cluster Communication)
Product – SAP NetWeaver AS JAVA (P2P Cluster Communication), Versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News 10
2989075 [CVE-2020-26831Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
Product – SAP BusinessObjects BI Platform (Crystal Report), Versions – 4.1, 4.2, 4.3
Hot News 9.6
2983367 [CVE-2020-26838Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW4HANA
Product – SAP Business Warehouse, Versions – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782
Product – SAP BW4HANA, Versions – 100, 200
Hot News 9.1
2973735 Update to security note released on November 2020 Patch Day:
[CVE-2020-26808Code Injection in SAP AS ABAP and S/4 HANA (DMIS)
Product – SAP AS ABAP(DMIS), Versions – 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product – SAP S4 HANA(DMIS), Versions – 101, 102, 103, 104, 105
Hot News 9.1
2983204 [CVE-2020-26837Path traversal and Missing Authorization check in SAP Solution Manager 7.2 (User Experience Monitoring)
Additional CVECVE-2020-26830
Product – SAP Solution Manager (User Experience Monitoring), Version – 7.20
High 8.5
2993132 [CVE-2020-26832Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation)
Product – SAP NetWeaver AS ABAP (SAP Landscape Transformation – DMIS), Versions – 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product – SAP S4 HANA (SAP Landscape Transformation), Versions – 101, 102, 103, 104, 105
High 7.6
2974330 [CVE-2020-26826Unrestricted File Upload vulnerability in SAP NetWeaver Application Server for Java (Process Integration Monitoring)
Product – SAP NetWeaver Application Server for Java, Versions – 7.31, 7.40, 7.50
Medium 6.5
2971180 [CVE-2020-26828Formula Injection in SAP Disclosure Management
Product – SAP Disclosure Management, Version – 10.1
Medium 5.4
2971163 [CVE-2020-26816Missing Encryption in SAP NetWeaver AS Java (Key Storage Service)
Product – SAP NetWeaver AS JAVA (Key Storage Service), Versions – 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50
Medium 5.4
2996479 [CVE-2020-26835Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP
Product – SAP NetWeaver AS ABAP, Versions – 740, 750, 751, 752, 753, 754
Medium 5.3
2843016 Update to security note released on November 2019 Patch Day:
[CVE-2019-0388Content spoofing vulnerability in UI5 HTTP Handler
Product – SAP UI, Versions – 7.5, 7.51, 7.52, 7.53, 7.54
Product – SAP UI 700, Version – 2.0
Medium 4.3
2978768 [CVE-2020-26834Improper authentication in SAP HANA database
Product – SAP HANA Database, Version – 2.0
Medium 4.2
2938650 [CVE-2020-26836Open Redirect in SAP Solution Manager (Trace Analysis)
Product – SAP Solution Manager (Trace Analysis), Version – 7.20
Low 3.4