On the 10th of November 2020, SAP Security Patch Day saw the release of 12 new Security Notes.
There were 3 updates to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 6 |
| Correction with high priority | 3 |
| Correction with medium priority | 6 |
| Correction with low priority | 0 |
Highlights
On November Patch Day SAP presents 9 high-severity Notes with 6 of them rated as HotNews.
Let us bring here an overview of information on HotNews Security Notes released for today, starting with Note 2985866 – Missing Authentication Check in SAP Solution Manager (JAVA stack) – with a CVSS Score of 10. Due to missing authentication checks in SAP Solution Manager, an unauthenticated attacker can compromise the system. Another Note was updated from August for SAP Solution Manager, with a CVSS Score of 10, which is 2890213. It covers the Missing Authentication Check. The Support Packages & Patches’ information was updated.
The next Note, 2982840, describes a complex of SAP Data Service vulnerabilities, such as Remote Code Execution and Denial of Service attack. These vulnerabilities could compromise the confidentiality, integrity and availability of the system. The CVSS Scores for the parts of the Note are 9.8 and 7.5, both considerably high to overview.
Knowledge Management service and Application Server for Java (UDDI Server) both receive the security Notes to provide the instructions necessary for SAP NetWeaver. The corresponding solution steps could be found in Note 2979062 – Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server) – with a CVSS Score of 9.1, and the update for the Note 2928635 – Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management) – with a CVSS Score of 9.0.
The last highlight for today is Note 2973735 – Code Injection in SAP AS ABAP and S/4 HANA (DMIS) – with a CVSS Score of 9.1. The Note was re-released with updated Support Packages & Patches information.
