SAP Security Patch Day – August 2021

SAP Patchday

Tuesday the 10th of August was blocked in our calendars as the next monthly SAP Security Patch Day. It is important to review these security updates regularly, to ensure that no critical vulnerability remains unpatched. The SAP Patch Day of August 2021 has seen 14 (see List) new SAP security patches. One previously released correction has been updated too.

Highlights

SAP has provided patches for the following vulnerability types in August:
– Cross-Site Scripting (XSS)
– SQL Injection
– Unrestricted File Upload
– Server-Side Request Forgery (SSRF)
– Task Hijacking
– Missing Authentication check
– URL Redirection vulnerability
– Reverse Tabnabbing

In August the number of patches did not rise compared to last month. The distribution of Security Notes priorities increased significantly. There are 8 corrections with priority High and Hot News (Very High). In 2021, we only saw a similar distribution in the SAP Security Patch Day of April.

While reviewing the released security patches, one realizes that the SAP NetWeaver Enterprise Portal has made a hat-trick. Three corrections with a priority high, ranging from CVSS 8.1 to 8.3 have been published.

Besides the SAP NetWeaver Enterprise Portal, also the SAP Business One has received special attention, with three new corrections ranging from CVSS 6.3 to 9.9. An unrestricted file upload vulnerability with Hot News (CVSS 9.9) has been identified and resolved with 3071984. The correction lists specific SP and hotfix level that customers running SAP Business One need to update. Alternatively, a temporary workaround was provided.

If you are using the DMIS Mobile Plug-In or SAP S/4HANA products, correction 3078312  requires your attention. The resolution should be fast and easy since implementation can be done via transaction SNOTE.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The August release contains a total of 15 patches for the following severities:

SeverityNumber
Hot News
3
High
5
Medium
7
NoteDescriptionSeverityCVSS
3071984[CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One
Product - SAP Business One, Version - 10.0
Hot News
9.9
3072955[CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)
Product - SAP NetWeaver Development Infrastructure (Component Build Service), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Hot News
9.9
3078312[CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation
Product - DMIS Mobile Plug-In, Versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020
Product - SAP S/4HANA, Versions - SAPSCORE 125, S4CORE 102, 102, 103, 104, 105
Hot News
9.1
3073681[CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
8.3
3072920[CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal (Application Extensions), Versions - 7.30, 7.31, 7.40, 7.50
High
8.3
3074844[CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
8.1
3067219[CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android
Product - SAP Fiori Client Native Mobile for Android, Version - 3.2
High
7.6
3073325[CVE-2021-33700] Missing Authentication check in SAP Business One
Product - SAP Business One, Version - 10.0
High
7
3073450[CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)
Product - SAP NetWeaver Development Infrastructure (Notification Service), Versions - 7.31, 7.40, 7.50
Medium
6.9
3058553[CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud ConnectorAdditional CVEs - CVE-2021-33694, CVE-2021-33693, CVE-2021-33692
Product - SAP Cloud Connector, Version - 2.0
Medium
6.8
3078072[CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer)
Product - SAP Business One, Version - 10.0
Medium
6.3
3002517Update to Security Note release on June 2021 Patch Day:[CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755
Medium
6.3
3076399[CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management)
Product - SAP NetWeaver (Knowledge Management), Versions - 7.30, 7.31, 7.40, 7.50
Medium
6.1
3062085[CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
Product - SAP BusinessObjects Business Intelligence Platform (Crystal Report), Versions - 420, 430
Medium
5.4
3063048[CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5)
Product - SAP BusinessObjects Business Intelligence Platform (SAPUI5), Versions - 420, 430
Medium
4.7

Source

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Next-Gen Application Security for SAP

Join roundtable delegates who will discuss the challenges, solutions, and their experiences in simplifying security and combining it across the network and the SAP application, to introduce a shift in paradigm for SAP customers.
SAP security roadmap
As a Partner and Sales Manager you will recruit, enable and manage Partner organizations and thus effectively extends the reach of our organization in new and existing verticals, segments, and regions ...
SAP security roadmap
Open Position
In the role of a Support Agent, you will support our customers in using our leading SAP Security Platform. Our customers deserve the best support for the best SAP security product. You can help us set a new benchmark!
SAP security roadmap
In the position of Contract & License Manager, you are responsible for preparing, negotiating, and recording business contracts on behalf of SecurityBridge. Your duties include ...
SAP security roadmap
SecurityBridge is looking for a Scrum and Release Master to join the core product development team for platform security. You would become part of an already existing team where you are encouraged to evolve and ...