SAP Security Patch Day – March 2021

SAP Patchday

Tuesday 9th March, SAP again released security updates as part of the monthly SAP Patch Day.

Highlights

There were 2 updates to hot news patches already released earlier. One of them is an old well-known security note that has been updated regularly over the last months. We are talking about the Google Chromium patch in SNOTE 2622660. Additionally SNOTE 2890213, having the highest possible CVSS 10.0 rating, has been updated. We recommend you paying attention to this SAP Patch and implement it as soon as possible because the missing authorization check in SAP Solution Manager has been remediated. 

SAP MII, which is based on SAP AS JAVA, was also relieved of a code injection vulnerability via SNOTE 3022622. If you have not yet configured your SAP Manufacturing Integration and Intelligence securely, we recommend this security guideline.

Certainly, it is not sufficient to focus exclusively on high severity vulnerabilities. Attackers often use a combination of vulnerabilities that are not necessarily rated CVSS >9. SAP customers must therefore also always consider the specific environment and the data classification of the individual instance to evaluate the necessity of patching.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

The March SAP Security Patch Day contains additional important corrections, which should be applied if the software components are available in your systems. Also relevant for SAP AS JAVA, the SNOTE 3022422 remediates a missing authorization check in the “Migration Service”.
Rated with severity “High” (CVSS 7.7), SAP Note 3017378 removes a vulnerability that allows attackers to bypass authentication in SAP HANA LDAP scenarios.

Please find a full list of released patches below.

Summary by Severity

The March release contains a total of 11 patches for the following severities:

Severity Number
Hot News
3
High
1
Medium
7
Note Description Severity CVSS
2890213 Update to security note released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 
Hot News
10
2622660 Update to security note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News
10
3022622 [CVE-2021-21480] Code Injection Vulnerability in SAP MII
Product - SAP Manufacturing Integration and Intelligence, Versions - 15.1, 15.2, 15.3, 15.4 
Hot News
9.9
3022422 [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
Product - SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Hot News 
9.6
3017378 [CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios
Product - SAP HANA, Version - 2.0
High
7.7
3007888 [CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts)
Product - SAP Enterprise Financial Services (Bank Customer Accounts), Versions - 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800 
Medium
6.8
2983436 [CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management
Product - SAP NetWeaver Knowledge Management, Versions - 7.01, 7.02, 7.30,7.31, 7.40, 7.50 
Medium
6.8
3023778 [CVE-2021-21487] Missing Authorization Check in Payment Engine
Product - SAP Payment Engine, Version - 500
Medium
6.8
2943844 Update to security note released on October 2020 Patch Day:[CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services)
Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430 
Medium
5.3
2976947 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
Medium 
4.7
3027767 [CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
4.3
3027758 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer  Related CVEs - CVE-2021-27585, CVE-2021-27586, CVE-2021-27587, CVE-2021-21493, CVE-2021-27588, CVE-2021-27591, CVE-2021-27584, CVE-2021-27589, CVE-2021-27590
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
4.3
2944188 Update to security note released on November 2020 Patch Day:[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104
Medium
4.3

Source

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

How to implement and enforce a security baseline for SAP ?

Join and listen to our webinar, to learn how you can use the SecurityBridge platform to define and apply one or multiple baselines, receive alerts whenever the system again deviates…
SAP Patchday
13th April 2021 was yet another Patch Day on our SAP calendar. This months' SAP Security Patch Day revealed 14 new and 5 updated Security Notes.