SAP Security Patch Day – March 2021
Chapters
Share Article
Tuesday 9th March, SAP again released security updates as part of the monthly SAP Patch Day.
Highlights
There were 2 updates to hot news patches already released earlier. One of them is an old well-known security note that has been updated regularly over the last months. We are talking about the Google Chromium patch in SNOTE 2622660. Additionally SNOTE 2890213, having the highest possible CVSS 10.0 rating, has been updated. We recommend you paying attention to this SAP Patch and implement it as soon as possible because the missing authorization check in SAP Solution Manager has been remediated.
SAP MII, which is based on SAP AS JAVA, was also relieved of a code injection vulnerability via SNOTE 3022622. If you have not yet configured your SAP Manufacturing Integration and Intelligence securely, we recommend this security guideline.
Certainly, it is not sufficient to focus exclusively on high severity vulnerabilities. Attackers often use a combination of vulnerabilities that are not necessarily rated CVSS >9. SAP customers must therefore also always consider the specific environment and the data classification of the individual instance to evaluate the necessity of patching.
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
The March SAP Security Patch Day contains additional important corrections, which should be applied if the software components are available in your systems. Also relevant for SAP AS JAVA, the SNOTE 3022422 remediates a missing authorization check in the “Migration Service”.
Rated with severity “High” (CVSS 7.7), SAP Note 3017378 removes a vulnerability that allows attackers to bypass authentication in SAP HANA LDAP scenarios.
Please find a full list of released patches below.
Summary by Severity
The March release contains a total of 11 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
3 |
|
High
|
1 |
|
Medium
|
7 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 2890213 | Update to security note
released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager
(User-Experience Monitoring) Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 |
Hot News
|
10 |
| 2622660 | Update to security note
released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with
SAP Business Client Product - SAP Business Client, Version - 6.5 |
Hot News
|
10 |
| 3022622 | [CVE-2021-21480] Code
Injection Vulnerability in SAP MII Product - SAP Manufacturing Integration and Intelligence, Versions - 15.1, 15.2, 15.3, 15.4 |
Hot News
|
9.9 |
| 3022422 | [CVE-2021-21481] Missing
Authorization Check in SAP NetWeaver AS JAVA (MigrationService) Product - SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50 |
Hot News
|
9.6 |
| 3017378 | [CVE-2021-21484] Possible
authentication bypass in SAP HANA LDAP scenarios Product - SAP HANA, Version - 2.0 |
High
|
7.7 |
| 3007888 | [CVE-2021-21486] Missing
Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts) Product - SAP Enterprise Financial Services (Bank Customer Accounts), Versions - 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800 |
Medium
|
6.8 |
| 2983436 | [CVE-2021-21488] Insecure
Deserialisation in SAP NetWeaver Knowledge Management Product - SAP NetWeaver Knowledge Management, Versions - 7.01, 7.02, 7.30,7.31, 7.40, 7.50 |
Medium
|
6.8 |
| 3023778 | [CVE-2021-21487] Missing
Authorization Check in Payment Engine Product - SAP Payment Engine, Version - 500 |
Medium
|
6.8 |
| 2943844 | Update to security note
released on October 2020 Patch Day:[CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP
BusinessObjects Business Intelligence Platform (Web Services) Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430 |
Medium
|
5.3 |
| 2976947 | [CVE-2021-21491] Reverse
TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro
Java) Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 |
Medium
|
4.7 |
| 3027767 | [CVE-2021-27592] Improper
Input Validation in SAP 3D Visual Enterprise Viewer Product - SAP 3D Visual Enterprise Viewer, Version - 9 |
Medium
|
4.3 |
| 3027758 | [Multiple CVEs] Improper
Input Validation in SAP 3D Visual Enterprise Viewer Related CVEs
- CVE-2021-27585, CVE-2021-27586, CVE-2021-27587, CVE-2021-21493, CVE-2021-27588, CVE-2021-27591, CVE-2021-27584, CVE-2021-27589, CVE-2021-27590 Product - SAP 3D Visual Enterprise Viewer, Version - 9 |
Medium
|
4.3 |
| 2944188 | Update to security note
released on November 2020 Patch Day:[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4
HANA Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618 Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104 |
Medium
|
4.3 |