SAP Security Patch Day – October 2021
Chapters
Share Article
Like every second Tuesday of the month, it’s again SAP Patch day! Today, 12th October 2021, SAP again released security patches for its vast product portfolio. This month the SAP security experts fixed 13 issues and 1 previously released patch received an update.
Highlights
SecurityBridge CTO, Ivan Mans identified and reported a vulnerability existing in the SAP software deployment system for which SAP today published Hot News correction 3097887, rated CVSS 9.1 [CVE-2021-38178]. The vulnerability exists in all SAP NetWeaver AS ABAP and ABAP Platform Versions starting from 700 up to 756.
Furthermore, the month of October introduced 2 more Hot News corrections and 1 with Priority High. Note 2622660 (CVSS 10.0) has been used to provide yet another security update for the Google Chromium engine used in the SAP Business Client.
With Note 3101406 a potential XML external Entity Injection Vulnerability in SAP Environmental Compliance Version 3.0 was fixed.
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Summary by Severity
The October release contains a total of 14 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
3 |
|
High
|
1 |
|
Medium
|
10 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 2622660 | Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business ClientProduct – SAP Business Client, Version – 6.5 |
HotNews
|
10 |
| 3101406 | Potential XML External Entity Injection Vulnerability in SAP Environmental ComplianceRelated CVEs
- CVE-2020-10683, CVE-2021-23926 Product - SAP Environmental Compliance, Version - 3.0 |
HotNews
|
9.8 |
| 3097887 | [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 |
HotNews
|
9.1 |
| 3077635 | [CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android
devices Product - SAP SuccessFactors Mobile Application (for Android devices), Versions - <2108 < /td> |
High
|
7.8 |
| 3074693 | [CVE-2021-40500] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal
Reports) Product - SAP BusinessObjects Business Intelligence Platform (Crystal Reports), Versions - 420, 430 |
Medium
|
6.9 |
| 3074819 | [CVE-2021-38179] Information Disclosure in SAP Business One Product - SAP Business One, Version - 10.0 |
Medium
|
6.7 |
| 3079427 | [CVE-2021-38180] CSV Injection in SAP Business One Product - SAP Business One, Version - 10.0 |
Medium
|
6.5 |
| 3080710 | [CVE-2021-38181] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 |
Medium
|
6.5 |
| 3100882 | [CVE-2021-40499] Code Injection vulnerability for SAP NetWeaver Application Server for ABAP (SAP Cloud Print
Manager and SAPSprint) Product - SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint), Versions - 7.70, 7.70 PI, 7.70BYD |
Medium
|
6.4 |
| 3055347 | Cross-Site Scripting (XSS) vulnerability in SAPUI5Related CVE - CVE-2020-11023 Product - SAPUI5, Versions - 750, 753, 754 |
Medium
|
6.1 |
| 3084937 | [CVE-2021-38183] Cross-Site Scripting (XSS) vulnerability in cms Service of SAP NetWeaver Product - SAP NetWeaver, Versions - 700, 701, 702, 730 |
Medium
|
5.4 |
| 3099011 | [CVE-2021-40495] Denial of Service (DOS) in SAP NetWeaver Application Server for ABAP and ABAP
Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 740, 750, 751, 752, 753, 754, 755 |
Medium
|
5.3 |
| 3098917 | [CVE-2021-40497] Information Disclosure in SAP BusinessObjects Analysis (edition for OLAP) Product - SAP BusinessObjects Analysis, (edition for OLAP), Versions - 420, 430 |
Medium
|
4.3 |
| 3087254 | [CVE-2021-40496] Improper Access Control in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785 |
Medium
|
4.3 |