SAP News Overview for December 2020 - Infected with malware - Safe O'Clock

SAP News Overview for December 2020 – Infected with malware

January 6, 2021

SAP on the list of companies affected by the SolarWinds hack

Several information security companies have released lists of SolarWinds customers who have been affected by malware.

The victims of hackers include tech companies, local governments, universities, hospitals, banks, telecom operators, and many others. Notable names include Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, etc.

SAP does not disclose further details.

SAP fixes vulnerabilities with December security updates

SAP has released a total of 11 new and updated security notes. Four posts have been rated hot news (critical) priority, including three new fixes and one previously released that have been updated.

The most critical note, scoring 10 on CVSS, concerns the missing authentication check vulnerability (CVE-2020-26829) in SAP NetWeaver AS JAVA (P2P Cluster Communication). The vulnerability allows an unauthenticated attacker to perform privileged actions over a TCP connection. An attacker could change the settings related to the database connection and gain access to the configuration information. Only service bundles that are not older than 24 months are supplied with a security notice that fixes the bug.

The second security hot news CVE-2020-26831 (CVSS score 9.6) is the lack of XML validation in the BusinessObjects Business Intelligence platform (Crystal Report). The bug allows an attacker with basic privileges to inject arbitrary XML objects, thereby leaking internal files and directories. The vulnerability allows Server Side Request Forgery (SSRF) and Denial of Service (DoS) attacks.

SAP has fixed a code injection bug in Business Warehouse (Master Data Management) and BW4HANA (CVE-2020-26838, CVSS score 9.1). The vulnerability would allow a high-privilege attacker to send a crafted request to generate and execute code without any user interaction.

The fourth hot news is a code injection error in NetWeaver AS ABAP and S/4 HANA (SLT component), which can lead to the execution of arbitrary code by an authorized attacker and a complete compromise of the system (CVE-2020-26808, CVSS score 9.1).

SAP Security Notes Q4 2020

The total number of patches increased compared to the previous quarter. The number of critical and high-profile news is also increasing, with 12 hot news per quarter. The most criticisms for the quarter (four with CVSS 10) related to the lack of authentication checks in SAP Solution Manager, one of the lack of authentication checks in SAP NetWeaver AS JAVA.

The next most critical (CVSS 9.8) vulnerabilities. One is the usual “Chrome Control Chromium shipped with SAP Business Client (2622660)” and the other is related to multiple vulnerabilities in SAP Data Services.

For the entire 4th quarter, 62 security notes, 1 more than last quarter (49 from Tuesday’s patch, 7 more than last quarter):

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more