SAP Security Patch Day – July 2021
There are a few constants in life. For SAP professionals, one of these constants is the SAP Security Patch Day. Every second Tuesday of a month – yes 12 times a year – the SAP Security and Response team issues new or improved security patches.
On 13th of July 2021, SAP Security Patch Day saw the release of 14 Security Notes. There were 3 updates to previously released Security Notes.
SAP has provided patches for the following vulnerability types in July:
– Code Injection
– Cross-Site Scripting
– Denial of Service
– Information Disclosure
– Missing Authorization Check
Luckily we only see two corrections with the priority “Hot News”. Both of them are updates to previously released patches.
1. Security updates for the browser control Google Chromium delivered with SAP Business Client (SNote 2622660). This note receives updates on a monthly basis and is to be reviewed regularly.
2. Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform (SNote 3007182). Notes were extended by a new version in the ‘Support Packages & Patches’ section.
New this month, is “Missing Authorization check in SAP NetWeaver Guided Procedures” (SNote 3059446), relevant for all versions from 7.10 to 7.50, and comes with a CVSS 7.6 (High). If the Guided Procedures are not in use, the note suggests deactivating the feature in the Java System Properties as a workaround.
“Denial of Service (DoS) in SAP NetWeaver AS for Java (HTTP Service)” (SNote 3056652) provides a solution to prevent an attacker from crashing or flooding a vulnerable HTTP Service. For the resolution, customers need to update the AS Java Server with the provided service pack provided in “Support Packages & Patches” of the Note.
Patch Management is key
Patch Management is a key pillar of any SAP security program. The latest SAP Security Patch Day again points out that implementing security patches requires dedicated capacity and specialized know-how. Departments are typically not overstaffed and thus work to the limit of their capacity. In consequence, it may happen basic security hygiene is left aside while other activities are ranked a higher priority. A dilemma, since installing security patches provides a high level of protection.
Read more about “Efficient SAP Patch Management” in our recent blog article.
Summary by Severity
The July release contains a total of 14 patches for the following severities: