Skip to content

SAP Security Patch Day – March 2021

SAP security Patch day

Tuesday 9th March, SAP again released security updates as part of the monthly SAP Patch Day.

Highlights

There were 2 updates to hot news patches already released earlier. One of them is an old well-known security note that has been updated regularly over the last months. We are talking about the Google Chromium patch in SNOTE 2622660. Additionally SNOTE 2890213, having the highest possible CVSS 10.0 rating, has been updated. We recommend you paying attention to this SAP Patch and implement it as soon as possible because the missing authorization check in SAP Solution Manager has been remediated. 

SAP MII, which is based on SAP AS JAVA, was also relieved of a code injection vulnerability via SNOTE 3022622. If you have not yet configured your SAP Manufacturing Integration and Intelligence securely, we recommend this security guideline.

Certainly, it is not sufficient to focus exclusively on high severity vulnerabilities. Attackers often use a combination of vulnerabilities that are not necessarily rated CVSS >9. SAP customers must therefore also always consider the specific environment and the data classification of the individual instance to evaluate the necessity of patching.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

The March SAP Security Patch Day contains additional important corrections, which should be applied if the software components are available in your systems. Also relevant for SAP AS JAVA, the SNOTE 3022422 remediates a missing authorization check in the “Migration Service”.
Rated with severity “High” (CVSS 7.7), SAP Note 3017378 removes a vulnerability that allows attackers to bypass authentication in SAP HANA LDAP scenarios.

Please find a full list of released patches below.

Summary by Severity

The March release contains a total of 11 patches for the following severities:

SeverityNumber
Hot News
3
High
1
Medium
7
NoteDescriptionSeverityCVSS
2890213 Update to security note released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 
Hot News
10
2622660 Update to security note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News
10
3022622 [CVE-2021-21480] Code Injection Vulnerability in SAP MII
Product - SAP Manufacturing Integration and Intelligence, Versions - 15.1, 15.2, 15.3, 15.4 
Hot News
9.9
3022422 [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
Product - SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Hot News 
9.6
3017378 [CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios
Product - SAP HANA, Version - 2.0
High
7.7
3007888 [CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts)
Product - SAP Enterprise Financial Services (Bank Customer Accounts), Versions - 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800 
Medium
6.8
2983436 [CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management
Product - SAP NetWeaver Knowledge Management, Versions - 7.01, 7.02, 7.30,7.31, 7.40, 7.50 
Medium
6.8
3023778 [CVE-2021-21487] Missing Authorization Check in Payment Engine
Product - SAP Payment Engine, Version - 500
Medium
6.8
2943844 Update to security note released on October 2020 Patch Day:[CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services)
Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430 
Medium
5.3
2976947 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
Medium 
4.7
3027767 [CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
4.3
3027758 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer  Related CVEs - CVE-2021-27585, CVE-2021-27586, CVE-2021-27587, CVE-2021-21493, CVE-2021-27588, CVE-2021-27591, CVE-2021-27584, CVE-2021-27589, CVE-2021-27590
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
4.3
2944188 Update to security note released on November 2020 Patch Day:[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104
Medium
4.3

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Which cybersecurity framework is the best fit for SAP application security?” to learn more about the available frameworks, the challenges when adopting a framework, and more.

SecurityBridge at the DSAG Technologietage 2023

SecurityBridge will be attending the DSAG Technologietage 2023 from March 22nd-23rd at the Congress Center Rosengarten in Mannheim.
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.