SAP Security Patch Day

Cyber Attacks on SAP Security

According to a study by Cybersecurity Ventures, cyber-crimes will cost the world almost $6 trillion a year by 2021. In the last few years, cyber-crimes have been in the news a lot with tech giants like Facebook becoming a victim of data and security breaches. This is why when it comes to cyber-crimes, it’s not a question of ‘if’, it’s a question of ‘when’ it will happen.

Five key cyber threats that enterprises need to take seriously and should watch out for in 2020.

  • Social Engineering Attacks

  • IoT-Based Attacks

  • Ransomware Attacks

  • Internal Threats

  • State-sponsored Attacks

Although SAP is investing a lot to deliver its products with secure code, there still remains the need to also deliver security corrections to already released products due to new flaws identified or new attack patterns becoming known. The security maintenance of installed SAP software is therefore key to continuously protect also against new types of attacks or newly identified potential weaknesses.

Based on feedback from customers, partners and SAP user groups, SAP has launched a regular SAP Security Patch Day, scheduled for the second Tuesday of every month — which is by purpose synchronized with the Security Patch Day of other major software vendors. At these patch days, SAP publishes software corrections as Security Notes solely focused on security to protect against potential weaknesses or attacks.The recommendation is to implement these corrections as soon as possible. Several tools are available to help identifying, selecting and implementing those corrections.

Overall the generally recommended procedure for each patch day is:

  • Check the updated list of Security Notes

  • Use the tool System Recommendations in SAP Solution Manager to check which security notes are relevant for the various systems of your system landscape

  • Use available tools like the Note Assistant — transaction SNOTE — to apply individual ABAP Security Notes or the Maintenance Optimizer, which now shows a section about required Security Notes as well, to plan the implementation of ABAP Support Packages or Java Patches.

  • Use configuration management platform to monitor and track your patch levels across your landscapes and components.  IT-Conductor can automate mini-check reports across your application stack with findings and recommendations based on SAP security and compliance best practice.

  • Use automation to orchestrate deployment of patches for kernels across SAP, Database and OS, including any agents such as SMD.  For example, create Ansible playbooks and use them for mass deployment across your host inventory.  IT-Conductor can orchestrate Ansible playbooks against all your SAP hosts under management.

On 11th of August 2020, SAP Security Patch Day saw the release of 15 Security Notes. There was 1 update to previously released Patch Day Security Note. SAP Security Patch Day – August 2020

You should pay attention to the most critical vulnerabilities in recent months and take measures to eliminate them.

List of SAP Security Notes with CVSS > 9.0:

SAP Security Patch Day – March 2020:

2890213 - [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)

2845377 - [CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)

SAP Security Patch Day – April 2020:

2839864 - Update 2 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics

SAP Security Patch Day – May 2020:

2835979 - [CVE-2020-6262] Code Injection vulnerability in Service Data Download

SAP Security Patch Day – June 2020:

2928570 - 'Ghostcat' Apache Tomcat AJP Vulnerability in SAP Liquidity Management for Banking

SAP Security Patch Day – July 2020:

2934135 - [CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)

2928635 - [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)

2927956 - [CVE-2020-6294] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform

SAP Security Patch Day – August 2020:

2928635 - [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)

2890213 - [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager

2622660 - Security updates for the browser control Google Chromium delivered with SAP Business Client

To help you automate monitoring, security compliance and software patching

IT-Conductor Signup