CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



SAP Releases Four ‘Hot News’ Notes on December 2020 Patch Day

SAP this week released eleven security notes as part of its December 2020 Security Patch Day, including four that were rated ‘hot news.’ There were also two updates to previously released notes.

SAP this week released eleven security notes as part of its December 2020 Security Patch Day, including four that were rated ‘hot news.’ There were also two updates to previously released notes.

Featuring a CVSS score of 10, the most important of the notes addresses a missing authentication check vulnerability (CVE-2020-26829) in SAP NetWeaver AS JAVA (P2P Cluster Communication).

Identified by security researchers at Onapsis, a firm that specializes in securing Oracle and SAP applications, the issue could allow an unauthenticated attacker to perform privileged actions over a TCP connection.

The attacker could install new trusted SSO providers, change the parameters associated with the database connection, and access configuration information. By abusing these actions, the attacker could “gain full privileged access to the affected SAP system or perform a Denial-of-Service attack rendering the SAP system unusable,” Onapsis says.

The security note that addresses the bug is only provided for support packages that are not older than 24 months. However, a manual workaround is provided, to essentially prevent any “potential attackers from connecting to the P2P Server Socket port and from spying the communication between the cluster elements.”

The second ‘hot news’ security note released this month addresses CVE-2020-26831 (CVSS score of 9.6), a missing XML validation flaw in BusinessObjects Business Intelligence Platform (Crystal Report). The bug allows an attacker with basic privileges to inject arbitrary XML entities, thus leaking internal files and directories. Server-side request forgery (SSRF) as well as denial-of-service (DoS) attacks are also possible.

SAP also patched a code injection bug in Business Warehouse (Master Data Management) and BW4HANA (CVE-2020-26838, CVSS score of 9.1). The flaw could have been scored 10, but it requires for an attacker to have high privileges to submit crafted requests leading to arbitrary code execution without user interaction.

The fourth ‘hot news’ note this month addresses a code injection bug in NetWeaver AS ABAP and S/4 HANA (SLT component) that could lead to arbitrary code execution and complete system compromise (CVE-2020-26808, CVSS score 9.1). The note was initially released one day after the November Patch Day.

Advertisement. Scroll to continue reading.

Another vulnerability in the SLT component of AS ABAP and S/4 HANA that was addressed this month is CVE-2020-26832 (CVSS score 7.6). The issue is a missing authorization check that could allow a high-privileged user to execute functions they should not have access to.

A second ‘high priority’ note issued this month addresses a path traversal and a missing authentication check in Solution Manager (CVE-2020-26837 and CVE-2020-26830, CVSS score of 8.5).

“Exploiting both vulnerabilities, a remote attacker having access to an unprivileged user could partially compromise availability in making certain services unavailable. The exploits would even allow the attacker to gain access to sensitive information such as usernames and passwords that can be used to access other SAP systems in the landscape,” Onapsis explains.

SAP’s Security Patch Day advisory for December 2020 also details six medium- and one low-priority note dealing with unrestricted file upload, formula injection, missing encryption, XSS, content spoofing, improper authentication, and open redirect vulnerabilities.

Related: SAP Patches Several Critical Vulnerabilities With November 2020 Security Updates

Related: SAP Patches Critical Vulnerability in CA Introscope Enterprise Manager

Related: Critical Access Control Vulnerability Patched in SAP Marketing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.