Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – August 2021

SAP security Patch day

Tuesday the 10th of August was blocked in our calendars as the next monthly SAP Security Patch Day. It is important to review these security updates regularly, to ensure that no critical vulnerability remains unpatched. The SAP Patch Day of August 2021 has seen 14 (see List) new SAP security patches. One previously released correction has been updated too.

Highlights

SAP has provided patches for the following vulnerability types in August:
– Cross-Site Scripting (XSS)
– SQL Injection
– Unrestricted File Upload
– Server-Side Request Forgery (SSRF)
– Task Hijacking
– Missing Authentication check
– URL Redirection vulnerability
– Reverse Tabnabbing

In August the number of patches did not rise compared to last month. The distribution of Security Notes priorities increased significantly. There are 8 corrections with priority High and Hot News (Very High). In 2021, we only saw a similar distribution in the SAP Security Patch Day of April.

While reviewing the released security patches, one realizes that the SAP NetWeaver Enterprise Portal has made a hat-trick. Three corrections with a priority high, ranging from CVSS 8.1 to 8.3 have been published.

Besides the SAP NetWeaver Enterprise Portal, also the SAP Business One has received special attention, with three new corrections ranging from CVSS 6.3 to 9.9. An unrestricted file upload vulnerability with Hot News (CVSS 9.9) has been identified and resolved with 3071984. The correction lists specific SP and hotfix level that customers running SAP Business One need to update. Alternatively, a temporary workaround was provided.

If you are using the DMIS Mobile Plug-In or SAP S/4HANA products, correction 3078312  requires your attention. The resolution should be fast and easy since implementation can be done via transaction SNOTE.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

Summary by Severity

The August release contains a total of 15 patches for the following severities:

Severity Number
Hot News
 3
High
 5
Medium
 7
Note Description Severity CVSS
3071984 [CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One
Product - SAP Business One, Version - 10.0
Hot News
 9.9
3072955 [CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)
Product - SAP NetWeaver Development Infrastructure (Component Build Service), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News
 9.9
3078312 [CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation
Product - DMIS Mobile Plug-In, Versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020
Product - SAP S/4HANA, Versions - SAPSCORE 125, S4CORE 102, 102, 103, 104, 105
Hot News
 9.1
3073681 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
 8.3
3072920 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal (Application Extensions), Versions - 7.30, 7.31, 7.40, 7.50
High
 8.3
3074844 [CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
 8.1
3067219 [CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android
Product - SAP Fiori Client Native Mobile for Android, Version - 3.2
High
 7.6
3073325 [CVE-2021-33700] Missing Authentication check in SAP Business One
Product - SAP Business One, Version - 10.0
High
 7
3073450 [CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)
Product - SAP NetWeaver Development Infrastructure (Notification Service), Versions - 7.31, 7.40, 7.50
Medium
 6.9
3058553 [CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud ConnectorAdditional CVEs - CVE-2021-33694, CVE-2021-33693, CVE-2021-33692
Product - SAP Cloud Connector, Version - 2.0
Medium
 6.8
3078072 [CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer)
Product - SAP Business One, Version - 10.0
Medium
 6.3
3002517 Update to Security Note release on June 2021 Patch Day:[CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755
Medium
 6.3
3076399 [CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management), Versions - 7.30, 7.31, 7.40, 7.50
Medium
 6.1
3062085 [CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
Product - SAP BusinessObjects Business Intelligence Platform (Crystal Report), Versions - 420, 430
Medium
 5.4
3063048 [CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5)
Product - SAP BusinessObjects Business Intelligence Platform (SAPUI5), Versions - 420, 430
Medium
 4.7

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for July'21
White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
CISA - NIST Webinar Q3 2023

Mastering NIST & CISA Compliance for SAP

Join us for an enlightening webinar where we simplify these regulatory frameworks, map CISA guidelines to SAP instances, and showcase how the SecurityBridge platform can assist you in achieving your SAP compliance needs.
Learn more
SAP vulnerability

Top 10 Vulnerabilities in SAP

SAP Vulnerability
As we know, SAP (Systems, Applications, and Products in Data Processing) is a widely used enterprise resource planning (ERP) software suite that helps organizations manage various business operations. No digital system is secure by nature or by default - there will always be security challenges, and SAP is no exception. In this article, we discuss the Top 10 vulnerabilities in SAP – how they affect the security of an SAP system, and finally, how to identify and manage them with SecurityBridge.
SAP security Patch day

SAP Security Patch Day – September 2023

SAP Security Patch Day
Today, September 12th, 2023 brings the release of SAP Security Patches for the extensive enterprise application portfolio developed by the Walldorf giant. SAP released 13 new Security Notes and provided 5 updates to previously released Security Notes.
Leadership team

Working Together for Greater SAP Security: SecurityBridge and Protect4S are Joining Forces

Press coverage- Security News
SecurityBridge, a leading provider of cybersecurity solutions for SAP customers, acquired Dutch SAP security specialist Protect4S. Through the acquisition, customers will benefit from an even more comprehensive one-stop-shop software platform that will improve every SAP customer’s security position across all technology stacks.