SAP Security Patch Day – June 2021
On Tuesday 8th June the SAP Response Teams published the monthly security corrections for the sixth time in 2021. This month has seen a total of 19 corrections, 17 of them being newly addressed issues and 2 are updates to previously released Security Notes.
You may find the full list of released SAP Security Notes, ordered by their priority, in the table below.
Highlights
While reviewing the correction provided in 3007182 – [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform, this reminded us a bit on SAP “Gateway to Heaven” – a vulnerability that could be used to trick the gateway components of NetWeaver AS to gain full access.
Note 3007182 has received a CVSS of 9 and thus qualifies for the “Hot News” priority status.
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Implementing this correction requires an SAP Kernel update, which demands downtime. The risk of exploitation can be reduced by restricting access from network external sources for RFC and HTTP communication via your network security perimeter.
Patch Management is key
Patch Management is a key pillar of any SAP security program. The latest SAP Security Patch Day again points out that implementing security patches require dedicated capacity and know-how. Departments are typically not overstaffed and thus work to the limit of their capacity. In consequence, it may happen basic security hygiene is left aside while other activities are ranked a higher priority. A dilemma, since installing security patches provides a high level of protection.
Read more about “Efficient SAP Patch Management” in our recent blog article.
Summary by Severity
The June release contains a total of 19 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
2 |
|
High
|
4 |
|
Medium
|
13 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3040210 | Update to Security Note Released on April 2021 Patch Day:[CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP CommerceProduct- SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011 |
Hot News
|
9.9 |
| 3007182 | [CVE-2021-27610] Improper
Authentication in SAP NetWeaver ABAP Server and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700,701,702,731,740,750,751,752,753,754,755,804 |
Hot News
|
9 |
| 3053066 | [CVE-2021-27635] Missing
XML Validation in SAP NetWeaver AS for JAVA Product - SAP NetWeaver AS for JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50 |
High
|
8.7 |
| 3020209 | [Multiple CVEs] Memory
Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP PlatformCVEs
- CVE-2021-27606, CVE-2021-27629, CVE-2021-27630, CVE-2021-27631, CVE-2021-27632 Product - SAP NetWeaver AS for ABAP (RFC Gateway), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83 |
High
|
7.5 |
| 3020104 | [Multiple CVEs] Memory
Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP PlatformCVEs
- CVE-2021-27597, CVE-2021-27633, CVE-2021-27634 Product - SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73 |
High
|
7.5 |
| 3021197 | [Multiple CVEs] Memory
Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP PlatformCVEs
- CVE-2021-27607, CVE-2021-27628 Product - SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83 |
High
|
7.5 |
| 3058382 | [CVE-2021-33662] Information Disclosure in SAP Business One Product - SAP Business One, Version - 10.0 |
Medium
|
6.7 |
| 3030961 | [CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution Product - SAP Manufacturing Execution, Versions - 15.1, 1.5.2, 15.3, 15.4 |
Medium
|
6.4 |
| 3002517 | [CVE-2021-21473] Missing
Authorization check in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 |
Medium
|
6.3 |
| 3004043 | [CVE-2021-21490] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver AS for ABAP (Web
Survey) Product - SAP NetWeaver AS for ABAP (Web Survey), Versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F |
Medium
|
6.1 |
| 3021050 | [Multiple CVEs] Memory
Corruption vulnerability in SAP IGSCVEs
- CVE-2021-27620, CVE-2021-27622, CVE-2021-27623, CVE-2021-27624, CVE-2021-27625, CVE-2021-27626, CVE-2021-27627 Product - SAP NetWeaver AS (Internet Graphics Server – Portwatcher), Versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81 |
Medium
|
5.9 |
| 3049879 | [CVE-2021-27637] Information Disclosure in SAP Enable Now (SAP Workforce Performance Builder -
Manager) Product - SAP Enable Now (SAP Workforce Performance Builder - Manager), Versions - 10.0, 1.0 |
Medium
|
5.9 |
| 3030604 | [CVE-2021-33663] Plaintext
command injection in SAP NetWeaver AS ABAP Product - SAP NetWeaver AS ABAP, Versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84 |
Medium
|
5.8 |
| 3023299 | [CVE-2021-27621] Information Disclosure in SAP NetWeaver AS JAVA (UserAdmin Application) Product - SAP NetWeaver AS for Java (UserAdmin), Versions - 7.11,7.20,7.30,7.31,7.40,7.50 |
Medium
|
5.5 |
| 3025604 | [CVE-2021-33664] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications
based on Web Dynpro ABAP) Product - SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), Versions - SAP_UI – 750,752,753,754,755, SAP_BASIS – 702, 31 |
Medium
|
5.4 |
| 3028370 | [CVE-2021-33665] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications
based on SAP GUI for HTML) Product - SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), Versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84 |
Medium
|
5.4 |
| 2985562 | [CVE-2021-33666] MIME
Sniffing Vulnerability in SAP Commerce Cloud Product - SAP Commerce Cloud, Version - 100 |
Medium
|
4.7 |
| 3059999 | [Multiple CVEs] Improper
Input Validation in SAP 3D Visual Enterprise ViewerCVEs
- CVE-2021-27638, CVE-2021-27639, CVE-2021-27640, CVE-2021-33659, CVE-2021-27642, CVE-2021-33661, CVE-2021-27641, CVE-2021-27643, CVE-2021-33660 Product - SAP 3D Visual Enterprise Viewer, Version - 9 |
Medium
|
4.3 |
| 3025054 | Update to Security Note
Released on April 2021 Patch Day:[CVE-2021-27605] Missing Authorization check in HCM Travel Management
Fiori Apps V2 Product - SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version - 608 |
Medium
|
4.3 |
