Skip to content

SAP Security Patch Day – August 2021

SAP security Patch day

Tuesday the 10th of August was blocked in our calendars as the next monthly SAP Security Patch Day. It is important to review these security updates regularly, to ensure that no critical vulnerability remains unpatched. The SAP Patch Day of August 2021 has seen 14 (see List) new SAP security patches. One previously released correction has been updated too.

Highlights

SAP has provided patches for the following vulnerability types in August:
– Cross-Site Scripting (XSS)
– SQL Injection
– Unrestricted File Upload
– Server-Side Request Forgery (SSRF)
– Task Hijacking
– Missing Authentication check
– URL Redirection vulnerability
– Reverse Tabnabbing

In August the number of patches did not rise compared to last month. The distribution of Security Notes priorities increased significantly. There are 8 corrections with priority High and Hot News (Very High). In 2021, we only saw a similar distribution in the SAP Security Patch Day of April.

While reviewing the released security patches, one realizes that the SAP NetWeaver Enterprise Portal has made a hat-trick. Three corrections with a priority high, ranging from CVSS 8.1 to 8.3 have been published.

Besides the SAP NetWeaver Enterprise Portal, also the SAP Business One has received special attention, with three new corrections ranging from CVSS 6.3 to 9.9. An unrestricted file upload vulnerability with Hot News (CVSS 9.9) has been identified and resolved with 3071984. The correction lists specific SP and hotfix level that customers running SAP Business One need to update. Alternatively, a temporary workaround was provided.

If you are using the DMIS Mobile Plug-In or SAP S/4HANA products, correction 3078312  requires your attention. The resolution should be fast and easy since implementation can be done via transaction SNOTE.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The August release contains a total of 15 patches for the following severities:

SeverityNumber
Hot News
3
High
5
Medium
7
NoteDescriptionSeverityCVSS
3071984[CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One
Product - SAP Business One, Version - 10.0
Hot News
9.9
3072955[CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)
Product - SAP NetWeaver Development Infrastructure (Component Build Service), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News
9.9
3078312[CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation
Product - DMIS Mobile Plug-In, Versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020
Product - SAP S/4HANA, Versions - SAPSCORE 125, S4CORE 102, 102, 103, 104, 105
Hot News
9.1
3073681[CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
8.3
3072920[CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal (Application Extensions), Versions - 7.30, 7.31, 7.40, 7.50
High
8.3
3074844[CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
8.1
3067219[CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android
Product - SAP Fiori Client Native Mobile for Android, Version - 3.2
High
7.6
3073325[CVE-2021-33700] Missing Authentication check in SAP Business One
Product - SAP Business One, Version - 10.0
High
7
3073450[CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)
Product - SAP NetWeaver Development Infrastructure (Notification Service), Versions - 7.31, 7.40, 7.50
Medium
6.9
3058553[CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud ConnectorAdditional CVEs - CVE-2021-33694, CVE-2021-33693, CVE-2021-33692
Product - SAP Cloud Connector, Version - 2.0
Medium
6.8
3078072[CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer)
Product - SAP Business One, Version - 10.0
Medium
6.3
3002517Update to Security Note release on June 2021 Patch Day:[CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755
Medium
6.3
3076399[CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management), Versions - 7.30, 7.31, 7.40, 7.50
Medium
6.1
3062085[CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
Product - SAP BusinessObjects Business Intelligence Platform (Crystal Report), Versions - 420, 430
Medium
5.4
3063048[CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5)
Product - SAP BusinessObjects Business Intelligence Platform (SAPUI5), Versions - 420, 430
Medium
4.7

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

Webinar: SAP Security Baseline: Surviving an SAP Audit

With the recent increase in attention to SAP security from auditors, we decided to investigate SAP baselines. We took a closer look into what SAP baselines are, how they can help you, and how to survive an audit.
SAP security by design
Security-by-design is a principle that emphasizes the need to build security measures into software systems from the start rather than as an afterthought. SAP projects need to embed security conciseness to respect this principle and gain a cyber-resilient application. Thus, they should prioritize security when designing and implementing their SAP systems rather than attempting to bolt on security measures afterward. This can help to prevent security breaches and minimize the damage caused by cyberattacks.
coding
Remote Code Execution (RCE) vulnerability in SAP is a type of security issue that allows an attacker to execute arbitrary code on a target system remotely. has gained control of a user's click, they can execute a range of actions, such as transferring funds, changing user settings, or stealing sensitive data.
Management Dashboard
SAP security provider SecurityBridge—now operating in the U.S.—today announced the latest addition to the SecurityBridge Platform—the Management Dashboard for SAP security. The SAP Management Dashboard is a no-cost, additional application for the existing SecurityBridge Platform that combines all SAP data aspects and presents the information through a customizable, single pane of glass security dashboard view.
Hacker mining SAPsecurity
SAP Cybersecurity- SAP Vulnerability
In recent years, cyberattacks against SAP systems have become more common, with attackers gaining network access and then exploring critical applications through port scanning and script-based exploration. Two examples of such attacks that use the SAP RFC SDK are the password lock attack and the password spray attack. In this article, we will outline how to detect these script-based attacks against SAP.