SAP Security Patch Day – January 2021

SAP Patchday

Our team of experts follows the monthly releases of SAP Security Patches closely, to ensure our product customers are continuously updated & secured.
In 2021, SAP continues their praxis to release product corrections with security impact to its customers every second Tuesday of the month, 12th January.

Patching of enterprise-critical applications belongs to the category of security hygiene or housekeeping. The task of patching, given it’s done regularly and timely after the patch release date, addresses one important aspect of SAP security: resolving code vulnerabilities existing in the SAP standard product portfolio.

Targeting a „solid-state“ in SAP security, customers running SAP products need to carefully revise the following aspects – next to implementing released SAP Security Patches. Not exactly ordered by priority,  start by measuring the hardening level of your SAP installations. Working with the principle of a security baseline helps you to master the creation, implementation, and enforcement of a system hardening standard, even within very complex landscapes.
Secondly, but no less important, is an accurate quality assurance of custom code, scouting for vulnerabilities introduced by the customer’s development team.

Previous releases

Since the January release is the first release of the New Year, it may be a good moment to also recap the releases of the past six months. Since mid last year SAP in average released 16 security relevant corrections a month. This months Patch Day, containing 17 patches, is slightly above average. With a publication of 21 corrections, the SAP Patch Day of October 2020 peeks out. 

Our team has created a summary for all SAP Patch Days. Please find the most recent articles here:

 

Highlights

The SAP Patch Day of January provides 5 corrections with a priority „Hot News“, another one with priority „High“. In 2622660, SAP continues its efforts to continuously update the Google Chromium engine used within the SAP Business Client. The priority for the previous note remains „Hot News“ and thus updates should be continuously reviewed and evaluated in accordance with the customers’ use-case.

Note 2986980 was released to solve multiple vulnerabilities in SAP Business Warehouse’s Data Interface. We would like to highlight this correction particularly because it exists in the majority of SAP Business Warehouse and SAP BW4HANA versions.

While we are looking at SAP BW and SAP’s BW4HANA, another correction with CVSS 9.9, resolving a Code Injection flaw in the business warehouse product was released.
Wrapping up the „Hot News“ releases of the present month, an update for the CVSS 9.1 note 2979062 has been provided. The update provides an enhancement to code correction for UDDI Server.

A single note with priority „High“ for Denial of Service (DoS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform was provided with note 3000306. In regards to 3000306, our experts have again highlighted the need to deactivate all services related to demo objects provided by SAP.

Summary by Severity

The January release contains a total of 17 patches for the following severities:

SeverityNumber
Hot News
5
High
1
Medium
10
Low
1
NoteDescriptionSeverityCVSS
2622660 Update to security note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News
10
2986980 [CVE-2021-21465] Multiple vulnerabilities in SAP Business Warehouse (Database Interface)Additional CVE - CVE-2021-21468
Product - SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 
Hot News
9.9
2999854 [CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782 
Product - SAP BW4HANA, Versions - 100, 200
Hot News
9.9
2983367 Update to security note released on December 2020 Patch Day:[CVE-2020-26838] Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782
Product - SAP BW4HANA, Versions - 100, 200
Hot News
9.1
2979062 Update to security note released on November 2020 Patch Day:[CVE-2020-26820] Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server)
Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
Hot News
9.1
3000306 [CVE-2021-21446] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP, Versions - 740, 750, 751, 752, 753, 754, 755 
High
7.5
2863397 Update to security note released on January 2020 Patch Day:[CVE-2020-6307] Missing Authorization Check in Automated Note Search Tool (SAP_BASIS)
Product - Automated Note Search Tool (SAP Basis), Versions - 7.0, 7.01,7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54 
Medium
6.5
2826528 Update to security note released on April 2020 Patch Day:[CVE-2020-6224] Information Disclosure in SAP NetWeaver Application Server Java (HTTP Service)
Product - SAP NetWeaver AS Java (HTTP Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium
6.2
2984034 [CVE-2021-21445] Header Manipulation vulnerability in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - 1808, 1811, 1905, 2005, 2011 
Medium
5.4
2965154 [CVE-2021-21447] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Product - SAP BusinessObjects Business Intelligence platform (Web Intelligence HTML interface), Versions - 410, 420
Medium
5.4
2912747 Update to security note released on May 2020 Patch Day:[CVE-2020-6256] Missing Authorization check in SAP Master Data Governance
Product - SAP Master Data Governance, Versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804 
Medium
5.4
2971163 Update to security note released on December 2020 Patch Day:[CVE-2020-26816] Missing Encryption in SAP NetWeaver AS Java (Key Storage Service)
Product - SAP NetWeaver AS JAVA (Key Storage Service), Versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50 
Medium
5.4
2992269 [CVE-2021-21448] Information Disclosure in SAP GUI for Windows
Product - SAP GUI FOR WINDOWS, Version - 7.60
Medium
5.3
2993032 [CVE-2021-21469] Information Disclosure in SAP NetWeaver Master Data Management
Product - SAP NetWeaver Master Data Management, Versions - 7.10, 7.10.750, 710 
Medium
5.3
3002617 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise ViewerCVEs - CVE-2021-21449, CVE-2021-21457, CVE-2021-21458, CVE-2021-21459, CVE-2021-21450, CVE-2021-21451, CVE-2021-21452, CVE-2021-21453, CVE-2021-21454, CVE-2021-21455, CVE-2021-21456, CVE-2021-21460, CVE-2021-21461, CVE-2021-21462, CVE-2021-21463, CVE-2021-21464
Product - SAP 3D Visual Enterprise Viewer, Version - 9.0
Medium
4.3
3008422 [CVE-2021-21467] Missing Authorization check in SAP Banking Services (Generic Market Data)
Product - SAP Banking Services (Generic Market Data), Versions - 400, 450, 500 
Medium
4.3
3000291 [CVE-2021-21470] XML External Entity vulnerability in SAP EPM add-in
Product - SAP EPM ADD-IN, Versions - 2.8, 1010 
Low
3.6

Source

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email

Looking into securing your SAP landscape? This white-paper describes for you the “The road to SAP security“. Download it now.

Download the Product Comparison Report and understand that holistic security for SAP can be delivered by a single solution.

Find recent Security Advisories for SAP©
bright talk
Join roundtable delegates who will discuss the challenges, solutions, and their experiences in simplifying security and combining it across the network and the SAP application, to introduce a shift in paradigm for SAP customers.
SAP Patchday
Like every second Tuesday of the month, it’s again SAP Patch day! Today, 12th October 2021, SAP again released security patches for its vast product portfolio.