Skip to content

SAP Security Patch Day – June 2021

SAP security Patch day

On Tuesday 8th June the SAP Response Teams published the monthly security corrections for the sixth time in 2021. This month has seen a total of 19 corrections, 17 of them being newly addressed issues and 2 are updates to previously released Security Notes.

You may find the full list of released SAP Security Notes, ordered by their priority, in the table below.

Highlights

While reviewing the correction provided in 3007182 – [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform, this reminded us a bit on SAP “Gateway to Heaven” – a vulnerability that could be used to trick the gateway components of NetWeaver AS to gain full access.
Note 3007182 has received a CVSS of 9 and thus qualifies for the “Hot News” priority status. 

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Implementing this correction requires an SAP Kernel update, which demands downtime. The risk of exploitation can be reduced by restricting access from network external sources for RFC and HTTP communication via your network security perimeter.

Patch Management is key

Patch Management is a key pillar of any SAP security program. The latest SAP Security Patch Day again points out that implementing security patches require dedicated capacity and know-how. Departments are typically not overstaffed and thus work to the limit of their capacity. In consequence, it may happen basic security hygiene is left aside while other activities are ranked a higher priority. A dilemma, since installing security patches provides a high level of protection.

Read more about “Efficient SAP Patch Management” in our recent blog article.

Summary by Severity

The June release contains a total of 19 patches for the following severities:

SeverityNumber
Hot News
2
High
4
Medium
13
NoteDescriptionSeverityCVSS
3040210 Update to Security Note Released on April 2021 Patch Day:[CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP CommerceProduct- SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011 
Hot News
9.9
3007182 [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700,701,702,731,740,750,751,752,753,754,755,804  
Hot News
9
3053066 [CVE-2021-27635] Missing XML Validation in SAP NetWeaver AS for JAVA
Product - SAP NetWeaver AS for JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
High
8.7
3020209 [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP PlatformCVEs - CVE-2021-27606, CVE-2021-27629, CVE-2021-27630, CVE-2021-27631, CVE-2021-27632
Product - SAP NetWeaver AS for ABAP (RFC Gateway), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83
High
7.5
3020104 [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP PlatformCVEs - CVE-2021-27597, CVE-2021-27633, CVE-2021-27634
Product - SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73
High
7.5
3021197 [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP PlatformCVEs - CVE-2021-27607, CVE-2021-27628
Product - SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83
High
7.5
3058382 [CVE-2021-33662] Information Disclosure in SAP Business One
Product - SAP Business One, Version - 10.0
Medium
6.7
3030961 [CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution
Product - SAP Manufacturing Execution, Versions - 15.1, 1.5.2, 15.3, 15.4
Medium
6.4
3002517 [CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755  
Medium
6.3
3004043 [CVE-2021-21490] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver AS for ABAP (Web Survey)
Product - SAP NetWeaver AS for ABAP (Web Survey), Versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F
Medium
6.1
3021050 [Multiple CVEs] Memory Corruption vulnerability in SAP IGSCVEs - CVE-2021-27620, CVE-2021-27622, CVE-2021-27623, CVE-2021-27624, CVE-2021-27625, CVE-2021-27626, CVE-2021-27627
Product - SAP NetWeaver AS (Internet Graphics Server – Portwatcher), Versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81
Medium
5.9
3049879 [CVE-2021-27637] Information Disclosure in SAP Enable Now (SAP Workforce Performance Builder - Manager)
Product - SAP Enable Now (SAP Workforce Performance Builder - Manager), Versions - 10.0, 1.0
Medium
5.9
3030604 [CVE-2021-33663] Plaintext command injection in SAP NetWeaver AS ABAP
Product - SAP NetWeaver AS ABAP, Versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84
Medium
5.8
3023299 [CVE-2021-27621] Information Disclosure in SAP NetWeaver AS JAVA (UserAdmin Application)
Product - SAP NetWeaver AS for Java (UserAdmin), Versions - 7.11,7.20,7.30,7.31,7.40,7.50
Medium
5.5
3025604 [CVE-2021-33664] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on Web Dynpro ABAP)
Product - SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), Versions - SAP_UI – 750,752,753,754,755, SAP_BASIS – 702, 31
Medium
5.4
3028370 [CVE-2021-33665] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on SAP GUI for HTML)
Product - SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), Versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84
Medium
5.4
2985562 [CVE-2021-33666] MIME Sniffing Vulnerability in SAP Commerce Cloud
Product - SAP Commerce Cloud, Version - 100
Medium
4.7
3059999 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise ViewerCVEs - CVE-2021-27638, CVE-2021-27639, CVE-2021-27640, CVE-2021-33659, CVE-2021-27642, CVE-2021-33661, CVE-2021-27641, CVE-2021-27643, CVE-2021-33660
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
4.3
3025054 Update to Security Note Released on April 2021 Patch Day:[CVE-2021-27605] Missing Authorization check in HCM Travel Management Fiori Apps V2
Product - SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version - 608
Medium
4.3

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on demand is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.
SAP Cybersecurity Risks
SAP Cybersecurity- SAP Security Framework- Security News
Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.