Skip to content

SAP Security Patch Day – May 2021

SAP Patch Day

On Tuesday the 11th May the SAP Response Teams has published the monthly security corrections. Regular and precise patching is one of the most effective ways to protect critical enterprise applications. This month has seen a total of 11 corrections, while 6 new issues have been addressed. There were 5 updates to previously released Patch Day Security Notes.

You may find the full list of released SAP Security Notes ordered by their priority in the table listed below.

Highlights

The leader of the board of this month, are three corrections with a Hot News priority that have received an update. We encourage you to have a look at the provided update in order to evaluate the need for action. If you use a Patch Management solution for SAP, like the one included in the SecurityBridge Platform you will find only the relevant patches per system in accordance with their installed base.

After installation of SNOTE 3046610 – “[CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver AS ABAP” a specific program will be removed. As a virtual patch, you may ensure that no user has the authorization to execute the program in SE38 or SA38.

SAP Business One customers should review the SNOTE 3049661 – “[CVE-2021-27616] Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook)” if they run their system on SAP HANA.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Also relevant to SAP Business One, the Chef business-one-cookbook has received an update via 3049755 – [CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook). The note recommends deleting and recreating the impacted systems through previously updated Chef.

With 3023078 – [CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect users to an untrusted website a priority low SNote introduces a new patch for SAP GUI for Windows.

Summary by Severity

The May release contains a total of 11 patches for the following severities:

SeverityNumber
Hot News
3
High
3
Medium
4
Low
1
NoteDescriptionSeverityCVSS
2622660 Update to Security Note released on August 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News
10
3040210 Update to Security Note released on April 2021 Patch Day:[CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce
Product - SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011 
Hot News
9.9
2999854 Update to Security Note released on January 2021 Patch Day:[CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782 
Product - SAP BW4HANA, Versions - 100, 200
Hot News
9.9
3046610 [CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver AS ABAP
Product - SAP NetWeaver AS ABAP, Versions - 700,701,702,730,731
High
8.2
3049661 [CVE-2021-27616] Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook)Additional CVE - CVE-2021-27614
Product - SAP Business One, version for SAP HANA (Cookbooks), Versions - 0.1.6, 0.1.7, 0.1.19 
High
7.8
3049755 [CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook)
Product - SAP Business One (Cookbooks), Version - 0.1.9
High
7.8
3039818 [CVE-2021-27619] Information Disclosure in SAP Commerce (Backoffice search)
Product - SAP Commerce (Backoffice Search), Versions - 1808, 1811, 1905, 2005, 2011
Medium
6.5
3012021 [Multiple CVEs] Multiple vulnerabilities in SAP Process Integration (Integration Builder Framework)CVEs - CVE-2021-27617, CVE-2021-27618
Product - SAP Process Integration (Integration Builder Framework), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium
4.9
2976947 Update to Security Note released on March 2021 Patch Day:[CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
Medium
4.7
3030948 Update to Security Note released on April 2021 Patch Day:[CVE-2021-27609] Missing Authorization check in SAP Focused RUN
Product - SAP Focused RUN, Versions - 200, 300
Medium
4.6
3023078 [CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect users to an untrusted website
Product - SAP GUI for Windows, Versions - 7.60, 7.70
Low
3.4

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on demand is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.
SAP Cybersecurity Risks
SAP Cybersecurity- SAP Security Framework- Security News
Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.