SAP Security Patch Day – March 2021

SAP security Patch day

Tuesday 9th March, SAP again released security updates as part of the monthly SAP Patch Day.


There were 2 updates to hot news patches already released earlier. One of them is an old well-known security note that has been updated regularly over the last months. We are talking about the Google Chromium patch in SNOTE 2622660. Additionally SNOTE 2890213, having the highest possible CVSS 10.0 rating, has been updated. We recommend you paying attention to this SAP Patch and implement it as soon as possible because the missing authorization check in SAP Solution Manager has been remediated. 

SAP MII, which is based on SAP AS JAVA, was also relieved of a code injection vulnerability via SNOTE 3022622. If you have not yet configured your SAP Manufacturing Integration and Intelligence securely, we recommend this security guideline.

Certainly, it is not sufficient to focus exclusively on high severity vulnerabilities. Attackers often use a combination of vulnerabilities that are not necessarily rated CVSS >9. SAP customers must therefore also always consider the specific environment and the data classification of the individual instance to evaluate the necessity of patching.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

The March SAP Security Patch Day contains additional important corrections, which should be applied if the software components are available in your systems. Also relevant for SAP AS JAVA, the SNOTE 3022422 remediates a missing authorization check in the “Migration Service”.
Rated with severity “High” (CVSS 7.7), SAP Note 3017378 removes a vulnerability that allows attackers to bypass authentication in SAP HANA LDAP scenarios.

Please find a full list of released patches below.

Summary by Severity

The March release contains a total of 11 patches for the following severities:

Severity Number
Hot News
Note Description Severity CVSS
2890213 Update to security note released on March 2020 Patch Day:[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 
Hot News
2622660 Update to security note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News
3022622 [CVE-2021-21480] Code Injection Vulnerability in SAP MII
Product - SAP Manufacturing Integration and Intelligence, Versions - 15.1, 15.2, 15.3, 15.4 
Hot News
3022422 [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
Product - SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Hot News 
3017378 [CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios
Product - SAP HANA, Version - 2.0
3007888 [CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts)
Product - SAP Enterprise Financial Services (Bank Customer Accounts), Versions - 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800 
2983436 [CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management
Product - SAP NetWeaver Knowledge Management, Versions - 7.01, 7.02, 7.30,7.31, 7.40, 7.50 
3023778 [CVE-2021-21487] Missing Authorization Check in Payment Engine
Product - SAP Payment Engine, Version - 500
2943844 Update to security note released on October 2020 Patch Day:[CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services)
Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430 
2976947 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
3027767 [CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Version - 9
3027758 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer  Related CVEs - CVE-2021-27585, CVE-2021-27586, CVE-2021-27587, CVE-2021-21493, CVE-2021-27588, CVE-2021-27591, CVE-2021-27584, CVE-2021-27589, CVE-2021-27590
Product - SAP 3D Visual Enterprise Viewer, Version - 9
2944188 Update to security note released on November 2020 Patch Day:[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104


Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

SecurityBridge at the DSAG Annual Congress 2022: How to protect SAP systems during these times

Together with its partner, Fortinet, the SAP Security specialist company will present how to close the gap between SAP and network security in Leipzig.
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.