Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – March 2021

SAP security Patch day

Tuesday 9th March, SAP again released security updates as part of the monthly SAP Patch Day.

Highlights

There were 2 updates to hot news patches already released earlier. One of them is an old well-known security note that has been updated regularly over the last months. We are talking about the Google Chromium patch in SNOTE 2622660. Additionally SNOTE 2890213, having the highest possible CVSS 10.0 rating, has been updated. We recommend you paying attention to this SAP Patch and implement it as soon as possible because the missing authorization check in SAP Solution Manager has been remediated. 

SAP MII, which is based on SAP AS JAVA, was also relieved of a code injection vulnerability via SNOTE 3022622. If you have not yet configured your SAP Manufacturing Integration and Intelligence securely, we recommend this security guideline.

Certainly, it is not sufficient to focus exclusively on high severity vulnerabilities. Attackers often use a combination of vulnerabilities that are not necessarily rated CVSS >9. SAP customers must therefore also always consider the specific environment and the data classification of the individual instance to evaluate the necessity of patching.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

The March SAP Security Patch Day contains additional important corrections, which should be applied if the software components are available in your systems. Also relevant for SAP AS JAVA, the SNOTE 3022422 remediates a missing authorization check in the “Migration Service”.
Rated with severity “High” (CVSS 7.7), SAP Note 3017378 removes a vulnerability that allows attackers to bypass authentication in SAP HANA LDAP scenarios.

Please find a full list of released patches below.

Summary by Severity

The March release contains a total of 11 patches for the following severities:

Severity Number
Hot News
 3
High
 1
Medium
 7
Note Description Severity CVSS
2890213 Update to security note released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 
Hot News
 10
2622660 Update to security note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News
 10
3022622 [CVE-2021-21480] Code Injection Vulnerability in SAP MII
Product - SAP Manufacturing Integration and Intelligence, Versions - 15.1, 15.2, 15.3, 15.4 
Hot News
 9.9
3022422 [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
Product - SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Hot News 
 9.6
3017378 [CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios
Product - SAP HANA, Version - 2.0
High
 7.7
3007888 [CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts)
Product - SAP Enterprise Financial Services (Bank Customer Accounts), Versions - 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800 
Medium
 6.8
2983436 [CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management
Product - SAP NetWeaver Knowledge Management, Versions - 7.01, 7.02, 7.30,7.31, 7.40, 7.50 
Medium
 6.8
3023778 [CVE-2021-21487] Missing Authorization Check in Payment Engine
Product - SAP Payment Engine, Version - 500
Medium
 6.8
2943844 Update to security note released on October 2020 Patch Day:[CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services)
Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430 
Medium
 5.3
2976947 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
Medium 
 4.7
3027767 [CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
 4.3
3027758 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer  Related CVEs - CVE-2021-27585, CVE-2021-27586, CVE-2021-27587, CVE-2021-21493, CVE-2021-27588, CVE-2021-27591, CVE-2021-27584, CVE-2021-27589, CVE-2021-27590
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
 4.3
2944188 Update to security note released on November 2020 Patch Day:[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104
Medium
 4.3

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for Feburary'21
White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
DSAG Jahreskongress 2023

DSAG-Jahreskongress 2023

Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem. Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen. Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.
Learn more
DSAG Jahreskongress 2023

DSAG-Jahreskongress 2023

Events
Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem. Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen. Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.
SAP security Patch day

SAP Security Patch Day – May 2023

SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability

SAP ABAP Directory Traversal Vulnerability: Risks and Solutions

SAP Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.