SAP Security Patch Day – April 2021

SAP security Patch day

Great to see you are here again! 13th April 2021 was yet another Patch Day on our SAP calendar. The SAP Response Team has been working hard the last four weeks, resulting in a total of 14 new and 5 updated Security Notes.

Highlights

The Security Patch Day of April reveals a new “Hot News” correction addressing a Remote Code Execution vulnerability in Source Rules of SAP Commerce. Customers running an affected version and using the Rule Engine Architecture with extensions are advised to install the patch. Customers who do not wish to install the patches provided by SAP can find a workaround in Security Note 3040210.

With SNOTE 3039649 an unquoted search path in SAPSetup is corrected. Attackers may use this vulnerability to register arbitrage files which could lead to gaining full system control.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Also Solution Manager 7.20 again requires a correction that resolves an information disclosure vulnerability. SAP does not disclose under which conditions the vulnerability can be exploited but states that a high privileged attacker can get access to sensitive information.

Another correction caught our interest, 3028729 resolves a Denial of Service (DoS) vulnerability in SAP NetWeaver AS of ABAP. The underlying problem allows an attacker to keep a work process busy for an undefined period of time.

Summary by Severity

The April release contains a total of 19 patches for the following severities:

Severity Number
Hot News
3
High
5
Medium
11
Note Description Severity CVSS
2622660 Update to Security Note released on August 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News
10
3040210 [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce
Product - SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011 
Hot News
9.9
3022422 Update to Security Note released on March 2021 Patch Day:[CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
Product - SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Hot News
9.6
3017908 [CVE-2021-21482] Information Disclosure in SAP NetWeaver Master Data Management
Product - SAP NetWeaver Master Data Management, Versions - 710, 710.750
High
8.3
3017823 [CVE-2021-21483] Information Disclosure in SAP Solution Manager
Product - SAP Solution Manager, Version - 7.20
High
8.2
2993132 Update to Security Note released on December 2020 Patch Day:[CVE-2020-26832] Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation)
Product - SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105 
High
7.6
3039649 [CVE-2021-27608] Unquoted Search Path in SAPSetup
Product - SAP Setup, Version - 9.0
High
7.5
3001824 [CVE-2021-21485] Information Disclosure in SAP NetWeaver AS for Java (Telnet Commands)
Product - SAP NetWeaver AS for JAVA (Telnet Commands), Versions - ENGINEAPI - 7.30, 7.31, 7.40, 7.50, ESP_FRAMEWORK - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SERVERCORE - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, J2EE-FRMW - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 
High
7.4
3027937 [CVE-2021-27598] Improper Access Control in SAP NetWeaver AS for Java (Customer Usage Provisioning Servlet)
Product - SAP NetWeaver AS for JAVA (Customer Usage Provisioning Servlet), Versions - 7.31, 7.40, 7.50 
Medium
6.5
3028729 [CVE-2021-27603] Denial of Service(DoS) in SAP NetWeaver AS of ABAP
Product - SAP NetWeaver AS for ABAP, Versions - 731, 740, 750 
Medium
6.5
3012277 [CVE-2021-27599] Information Disclosure in SAP Process Integration (Integration Builder Framework)
Product - SAP Process Integration (Integration Builder Framework), Versions - 7.10, 7.30, 7.31, 7.40, 7.50 
Medium
6.5
3036436 [CVE-2021-27604] Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings)
Product - SAP Process Integration (Enterprise Service Repository JAVA Mappings), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium
6.5
3024414 [CVE-2021-27600] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution (System Rules)
Product - SAP Manufacturing Execution (System Rules), Versions - 15.1, 15.2, 15.3, 15.4 
Medium
6.4
2963592 [CVE-2021-27601] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (Applications based on HTMLB for Java)
Product - SAP NetWeaver AS for Java (Applications based on HTMLB for Java)  , Versions - EP-BASIS - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, FRAMEWORK-EXT - 7.30, 7.31, 7.40, 7.50, FRAMEWORK - 7.10, 7.11 
Medium
5.4
3036679 Update to Security Note released on October 2011 Patch Day:Update 1 to Security Note 1576763: Potential information disclosure relating to usernames
Product - SAP NetWeaver AS ABAP , Versions - 7.30
Medium
5.3
2976947 Update to Security Note released on March 2021 Patch Day:[CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
Medium
4.7
3030948 [CVE-2021-27609] Missing Authorization check in SAP Focused RUN
Product - SAP Focused RUN, Versions - 200, 300
Medium
4.6
3025637 [CVE-2021-21492] Content spoofing in NetWeaver AS Java HTTP Service
Product - SAP NetWeaver AS for JAVA (HTTP Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium
4.3
3025054 [CVE-2021-27605] Missing Authorization check in HCM Travel Management Fiori Apps V2
Product - SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version - 608
Medium
4.3

Source

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on 05.10.2022, is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.