SAP Security Patch Day – August 2021

SAP Patchday

Tuesday the 10th of August was blocked in our calendars as the next monthly SAP Security Patch Day. It is important to review these security updates regularly, to ensure that no critical vulnerability remains unpatched. The SAP Patch Day of August 2021 has seen 14 (see List) new SAP security patches. One previously released correction has been updated too.

Highlights

SAP has provided patches for the following vulnerability types in August:
– Cross-Site Scripting (XSS)
– SQL Injection
– Unrestricted File Upload
– Server-Side Request Forgery (SSRF)
– Task Hijacking
– Missing Authentication check
– URL Redirection vulnerability
– Reverse Tabnabbing

In August the number of patches did not rise compared to last month. The distribution of Security Notes priorities increased significantly. There are 8 corrections with priority High and Hot News (Very High). In 2021, we only saw a similar distribution in the SAP Security Patch Day of April.

While reviewing the released security patches, one realizes that the SAP NetWeaver Enterprise Portal has made a hat-trick. Three corrections with a priority high, ranging from CVSS 8.1 to 8.3 have been published.

Besides the SAP NetWeaver Enterprise Portal, also the SAP Business One has received special attention, with three new corrections ranging from CVSS 6.3 to 9.9. An unrestricted file upload vulnerability with Hot News (CVSS 9.9) has been identified and resolved with 3071984. The correction lists specific SP and hotfix level that customers running SAP Business One need to update. Alternatively, a temporary workaround was provided.

If you are using the DMIS Mobile Plug-In or SAP S/4HANA products, correction 3078312  requires your attention. The resolution should be fast and easy since implementation can be done via transaction SNOTE.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The August release contains a total of 15 patches for the following severities:

SeverityNumber
Hot News
3
High
5
Medium
7
NoteDescriptionSeverityCVSS
3071984[CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One
Product - SAP Business One, Version - 10.0
Hot News
9.9
3072955[CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)
Product - SAP NetWeaver Development Infrastructure (Component Build Service), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News
9.9
3078312[CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation
Product - DMIS Mobile Plug-In, Versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020
Product - SAP S/4HANA, Versions - SAPSCORE 125, S4CORE 102, 102, 103, 104, 105
Hot News
9.1
3073681[CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
8.3
3072920[CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal (Application Extensions), Versions - 7.30, 7.31, 7.40, 7.50
High
8.3
3074844[CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
8.1
3067219[CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android
Product - SAP Fiori Client Native Mobile for Android, Version - 3.2
High
7.6
3073325[CVE-2021-33700] Missing Authentication check in SAP Business One
Product - SAP Business One, Version - 10.0
High
7
3073450[CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)
Product - SAP NetWeaver Development Infrastructure (Notification Service), Versions - 7.31, 7.40, 7.50
Medium
6.9
3058553[CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud ConnectorAdditional CVEs - CVE-2021-33694, CVE-2021-33693, CVE-2021-33692
Product - SAP Cloud Connector, Version - 2.0
Medium
6.8
3078072[CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer)
Product - SAP Business One, Version - 10.0
Medium
6.3
3002517Update to Security Note release on June 2021 Patch Day:[CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755
Medium
6.3
3076399[CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management), Versions - 7.30, 7.31, 7.40, 7.50
Medium
6.1
3062085[CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
Product - SAP BusinessObjects Business Intelligence Platform (Crystal Report), Versions - 420, 430
Medium
5.4
3063048[CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5)
Product - SAP BusinessObjects Business Intelligence Platform (SAPUI5), Versions - 420, 430
Medium
4.7

Source

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

CROSSTHEBRIDGE Cycling event – September 2021

Join our cycling community on September 3rd in Arnheim (NL), get one of our cycling jerseys, and support the Maartens Foundation.
story-of-a-ciso
With the push for zero-trust, primarily due to the cloud trend, IT security teams must focus more on application security. This is usually done by focusing on the most critical applications first. And that's where SAP almost always comes to the top of the list.
SAP Patchday
On Tuesday the 14th of September the sleeping giant awakes from the summer break. In benchmark with other SAP Patch Days in the past of 2021, the September Patch Day stands out with its number of HotNews corrections.
crossthebridge-cycling-2021
On September 3, 2021 SecurityBridge celebrated the successful premiere of the crossthebridge cycling event in the Netherlands. Together with customers and partners we were cycling for SAP security, a good cause, and for fun.