Security News > 2020 > December > A light December 2020 Patch Tuesday for a no-stress end of the year
As expected, Microsoft fixed a smaller-than-usual number of CVEs on this December 2020 Patch Tuesday: 58 in total.
Satnam Narang, staff research engineer at Tenable, pointed out that CVE-2020-17132 addresses a patch bypass for CVE-2020-16875, which was reported and patched in September's Patch Tuesday release.
For December 2020 Patch Tuesday, SAP released 11 security notes and updated two previously released ones.
The most critical patch is for a missing authentication check vulnerability in SAP NetWeaver AS JAVA that has a "Perfect" CVSS score of 10.
"SAP Security Note #2974774, tagged with a CVSS score of 10, patches the aforementioned vulnerabilities. The patch is not provided for all support package levels The good news is that the note also provides a manual workaround that will prevent potential attackers from connecting to the P2P Server Socket port and from spying the communication between the cluster elements. This workaround can also be applied by customers running SAP NetWeaver AS JAVA on a support package level for which no patch is provided."
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/CWcfHz0oozg/
Related news
- October 2024 Patch Tuesday forecast: Recall can be recalled (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Microsoft cleans up hot mess of Patch Tuesday preview (source)
- Patch Tuesday: Internet Explorer Vulnerabilities Still Pose a Problem (source)
- November 2024 Patch Tuesday forecast: New servers arrive early (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-10 | CVE-2020-17132 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Remote Code Execution Vulnerability | 9.1 |
| 2020-09-11 | CVE-2020-16875 | Improper Privilege Management vulnerability in Microsoft Exchange Server 2016/2019 <p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments.</p> <p>An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. | 8.4 |