SAP Security Patch Day – May 2021
On Tuesday the 11th May the SAP Response Teams has published the monthly security corrections. Regular and precise patching is one of the most effective ways to protect critical enterprise applications. This month has seen a total of 11 corrections, while 6 new issues have been addressed. There were 5 updates to previously released Patch Day Security Notes.
You may find the full list of released SAP Security Notes ordered by their priority in the table listed below.
The leader of the board of this month, are three corrections with a Hot News priority that have received an update. We encourage you to have a look at the provided update in order to evaluate the need for action. If you use a Patch Management solution for SAP, like the one included in the SecurityBridge Platform you will find only the relevant patches per system in accordance with their installed base.
After installation of SNOTE 3046610 – “[CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver AS ABAP” a specific program will be removed. As a virtual patch, you may ensure that no user has the authorization to execute the program in SE38 or SA38.
SAP Business One customers should review the SNOTE 3049661 – “[CVE-2021-27616] Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook)” if they run their system on SAP HANA.
Also relevant to SAP Business One, the Chef business-one-cookbook has received an update via 3049755 – [CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook). The note recommends deleting and recreating the impacted systems through previously updated Chef.
With 3023078 – [CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect users to an untrusted website a priority low SNote introduces a new patch for SAP GUI for Windows.
Summary by Severity
The May release contains a total of 11 patches for the following severities:
|2622660||Update to Security Note
released on August 2018 Patch Day:Security updates for the browser control Google Chromium delivered
with SAP Business Client|
Product - SAP Business Client, Version - 6.5
|3040210||Update to Security Note
released on April 2021 Patch Day:[CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of
Product - SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011
|2999854||Update to Security Note
released on January 2021 Patch Day:[CVE-2021-21466] Code Injection in SAP Business Warehouse and
Product - SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782
Product - SAP BW4HANA, Versions - 100, 200
Injection vulnerability in SAP NetWeaver AS ABAP|
Product - SAP NetWeaver AS ABAP, Versions - 700,701,702,730,731
vulnerabilities in SAP Business One, version for SAP HANA
(Business-One-Hana-Chef-Cookbook)Additional CVE - CVE-2021-27614|
Product - SAP Business One, version for SAP HANA (Cookbooks), Versions - 0.1.6, 0.1.7, 0.1.19
|3049755||[CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook)|
Product - SAP Business One (Cookbooks), Version - 0.1.9
|3039818||[CVE-2021-27619] Information Disclosure in SAP Commerce (Backoffice search)|
Product - SAP Commerce (Backoffice Search), Versions - 1808, 1811, 1905, 2005, 2011
|3012021||[Multiple CVEs] Multiple
vulnerabilities in SAP Process Integration (Integration Builder
Framework)CVEs - CVE-2021-27617, CVE-2021-27618|
Product - SAP Process Integration (Integration Builder Framework), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
|2976947||Update to Security Note
released on March 2021 Patch Day:[CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver
Application Server Java (Applications based on Web Dynpro Java)|
Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50
|3030948||Update to Security Note
released on April 2021 Patch Day:[CVE-2021-27609] Missing Authorization check in SAP Focused
Product - SAP Focused RUN, Versions - 200, 300
|3023078||[CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect users to an untrusted
Product - SAP GUI for Windows, Versions - 7.60, 7.70