Security Experts:

Connect with us

Hi, what are you looking for?



SAP Releases Four ‘Hot News’ Notes on December 2020 Patch Day

SAP this week released eleven security notes as part of its December 2020 Security Patch Day, including four that were rated ‘hot news.’ There were also two updates to previously released notes.

SAP this week released eleven security notes as part of its December 2020 Security Patch Day, including four that were rated ‘hot news.’ There were also two updates to previously released notes.

Featuring a CVSS score of 10, the most important of the notes addresses a missing authentication check vulnerability (CVE-2020-26829) in SAP NetWeaver AS JAVA (P2P Cluster Communication).

Identified by security researchers at Onapsis, a firm that specializes in securing Oracle and SAP applications, the issue could allow an unauthenticated attacker to perform privileged actions over a TCP connection.

The attacker could install new trusted SSO providers, change the parameters associated with the database connection, and access configuration information. By abusing these actions, the attacker could “gain full privileged access to the affected SAP system or perform a Denial-of-Service attack rendering the SAP system unusable,” Onapsis says.

The security note that addresses the bug is only provided for support packages that are not older than 24 months. However, a manual workaround is provided, to essentially prevent any “potential attackers from connecting to the P2P Server Socket port and from spying the communication between the cluster elements.”

The second ‘hot news’ security note released this month addresses CVE-2020-26831 (CVSS score of 9.6), a missing XML validation flaw in BusinessObjects Business Intelligence Platform (Crystal Report). The bug allows an attacker with basic privileges to inject arbitrary XML entities, thus leaking internal files and directories. Server-side request forgery (SSRF) as well as denial-of-service (DoS) attacks are also possible.

SAP also patched a code injection bug in Business Warehouse (Master Data Management) and BW4HANA (CVE-2020-26838, CVSS score of 9.1). The flaw could have been scored 10, but it requires for an attacker to have high privileges to submit crafted requests leading to arbitrary code execution without user interaction.

The fourth ‘hot news’ note this month addresses a code injection bug in NetWeaver AS ABAP and S/4 HANA (SLT component) that could lead to arbitrary code execution and complete system compromise (CVE-2020-26808, CVSS score 9.1). The note was initially released one day after the November Patch Day.

Another vulnerability in the SLT component of AS ABAP and S/4 HANA that was addressed this month is CVE-2020-26832 (CVSS score 7.6). The issue is a missing authorization check that could allow a high-privileged user to execute functions they should not have access to.

A second ‘high priority’ note issued this month addresses a path traversal and a missing authentication check in Solution Manager (CVE-2020-26837 and CVE-2020-26830, CVSS score of 8.5).

“Exploiting both vulnerabilities, a remote attacker having access to an unprivileged user could partially compromise availability in making certain services unavailable. The exploits would even allow the attacker to gain access to sensitive information such as usernames and passwords that can be used to access other SAP systems in the landscape,” Onapsis explains.

SAP’s Security Patch Day advisory for December 2020 also details six medium- and one low-priority note dealing with unrestricted file upload, formula injection, missing encryption, XSS, content spoofing, improper authentication, and open redirect vulnerabilities.

Related: SAP Patches Several Critical Vulnerabilities With November 2020 Security Updates

Related: SAP Patches Critical Vulnerability in CA Introscope Enterprise Manager

Related: Critical Access Control Vulnerability Patched in SAP Marketing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.