SAP Security Patch Day – January 2021
Our team of experts follows the monthly releases of SAP Security Patches closely, to ensure our product customers are continuously updated & secured.
In 2021, SAP continues their praxis to release product corrections with security impact to its customers every second Tuesday of the month, 12th January.
Patching of enterprise-critical applications belongs to the category of security hygiene or housekeeping. The task of patching, given it’s done regularly and timely after the patch release date, addresses one important aspect of SAP security: resolving code vulnerabilities existing in the SAP standard product portfolio.
Targeting a „solid-state“ in SAP security, customers running SAP products need to carefully revise the following aspects – next to implementing released SAP Security Patches. Not exactly ordered by priority, start by measuring the hardening level of your SAP installations. Working with the principle of a security baseline helps you to master the creation, implementation, and enforcement of a system hardening standard, even within very complex landscapes.
Secondly, but no less important, is an accurate quality assurance of custom code, scouting for vulnerabilities introduced by the customer’s development team.
Since the January release is the first release of the New Year, it may be a good moment to also recap the releases of the past six months. Since mid last year SAP in average released 16 security relevant corrections a month. This months Patch Day, containing 17 patches, is slightly above average. With a publication of 21 corrections, the SAP Patch Day of October 2020 peeks out.
Our team has created a summary for all SAP Patch Days. Please find the most recent articles here:
The SAP Patch Day of January provides 5 corrections with a priority „Hot News“, another one with priority „High“. In 2622660, SAP continues its efforts to continuously update the Google Chromium engine used within the SAP Business Client. The priority for the previous note remains „Hot News“ and thus updates should be continuously reviewed and evaluated in accordance with the customers’ use-case.
Note 2986980 was released to solve multiple vulnerabilities in SAP Business Warehouse’s Data Interface. We would like to highlight this correction particularly because it exists in the majority of SAP Business Warehouse and SAP BW4HANA versions.
While we are looking at SAP BW and SAP’s BW4HANA, another correction with CVSS 9.9, resolving a Code Injection flaw in the business warehouse product was released.
Wrapping up the „Hot News“ releases of the present month, an update for the CVSS 9.1 note 2979062 has been provided. The update provides an enhancement to code correction for UDDI Server.
A single note with priority „High“ for Denial of Service (DoS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform was provided with note 3000306. In regards to 3000306, our experts have again highlighted the need to deactivate all services related to demo objects provided by SAP.
Summary by Severity
The January release contains a total of 17 patches for the following severities:
|2622660||Update to security note
released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with
SAP Business Client|
Product - SAP Business Client, Version - 6.5
vulnerabilities in SAP Business Warehouse (Database Interface)Additional CVE - CVE-2021-21468|
Product - SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782
Injection in SAP Business Warehouse and SAP BW/4HANA|
Product - SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782
Product - SAP BW4HANA, Versions - 100, 200
|2983367||Update to security note
released on December 2020 Patch Day:[CVE-2020-26838] Code Injection vulnerability in SAP Business
Warehouse (Master Data Management) and SAP BW4HANA|
Product - SAP Business Warehouse, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782
Product - SAP BW4HANA, Versions - 100, 200
|2979062||Update to security note
released on November 2020 Patch Day:[CVE-2020-26820] Privilege escalation in SAP NetWeaver Application
Server for Java (UDDI Server)|
Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
|3000306||[CVE-2021-21446] Denial of
service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform|
Product - SAP NetWeaver AS ABAP, Versions - 740, 750, 751, 752, 753, 754, 755
|2863397||Update to security note
released on January 2020 Patch Day:[CVE-2020-6307] Missing Authorization Check in Automated Note Search
Product - Automated Note Search Tool (SAP Basis), Versions - 7.0, 7.01,7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54
|2826528||Update to security note
released on April 2020 Patch Day:[CVE-2020-6224] Information Disclosure in SAP NetWeaver Application
Server Java (HTTP Service)|
Product - SAP NetWeaver AS Java (HTTP Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Manipulation vulnerability in SAP Commerce Cloud|
Product - SAP Commerce Cloud, Versions - 1808, 1811, 1905, 2005, 2011
|2965154||[CVE-2021-21447] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business
Intelligence Platform (Web Intelligence HTML interface)|
Product - SAP BusinessObjects Business Intelligence platform (Web Intelligence HTML interface), Versions - 410, 420
|2912747||Update to security note
released on May 2020 Patch Day:[CVE-2020-6256] Missing Authorization check in SAP Master Data
Product - SAP Master Data Governance, Versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804
|2971163||Update to security note
released on December 2020 Patch Day:[CVE-2020-26816] Missing Encryption in SAP NetWeaver AS Java (Key
Product - SAP NetWeaver AS JAVA (Key Storage Service), Versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50
|2992269||[CVE-2021-21448] Information Disclosure in SAP GUI for Windows|
Product - SAP GUI FOR WINDOWS, Version - 7.60
|2993032||[CVE-2021-21469] Information Disclosure in SAP NetWeaver Master Data Management|
Product - SAP NetWeaver Master Data Management, Versions - 7.10, 7.10.750, 710
|3002617||[Multiple CVEs] Improper
Input Validation in SAP 3D Visual Enterprise ViewerCVEs
- CVE-2021-21449, CVE-2021-21457, CVE-2021-21458, CVE-2021-21459, CVE-2021-21450, CVE-2021-21451, CVE-2021-21452, CVE-2021-21453, CVE-2021-21454, CVE-2021-21455, CVE-2021-21456, CVE-2021-21460, CVE-2021-21461, CVE-2021-21462, CVE-2021-21463, CVE-2021-21464|
Product - SAP 3D Visual Enterprise Viewer, Version - 9.0
Authorization check in SAP Banking Services (Generic Market Data)|
Product - SAP Banking Services (Generic Market Data), Versions - 400, 450, 500
External Entity vulnerability in SAP EPM add-in|
Product - SAP EPM ADD-IN, Versions - 2.8, 1010