SAP Security Patch Day – November 2021

SAP Patchday

November has come and the days in Germany are getting shorter and colder. No reason for the SAP Security and Response team not to continue their monthly patching practice! Looking at today’s publication of SAP Security Patch Day, we luckily find only 1 Hot News and 2 High priority corrections.

The month of November 2021 has seen a total of 7 published Security Patches by the SAP Security Response team. Regular visitors of our Dashboard know that this is only half the number of notes we see on average. 

This is good news for all SAP customers that execute regular patching to eliminate known vulnerabilities within the SAP product portfolio. Reviewing, validating and applying monthly SAP security corrections can be a tedious task. A low number of SAP patches published in November does reduce manual efforts. Any time gained can be invested into other security-relevant areas such as custom code security or hardening of the SAP environement.

Highlights

A specific highlight of the November SAP Security Patch Day is the correction in Note 3099776. The patch resolves a severe vulnerability in the trusting RFC technology stack that allows an attacker to gain elevated rights. Customers need to upgrade their Kernel version to resolve the issue. The SAP team also recommends making use of the suggested Update Strategy for the Kernel of the Application Server ABAP in On-Premise Landscapes.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The November release contains a total of 7 patches for the following severities:

SeverityNumber
Hot News
1
High
2
Medium
4
NoteDescriptionSeverityCVSS
3099776 [CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel
Product - SAP ABAP Platform Kernel, Versions - 7.77, 7.81, 7.85, 7.86
Hot News
9.6
3110328 [CVE-2021-40502] Missing Authorization check in SAP Commerce
Product - SAP Commerce, Versions - 2105.3, 2011.13, 2005.18, 1905.34
High
8.3
2971638 Update to Security Note released on October 2020 Patch Day:[CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP FocusedProduct- CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run), Versions - 9.7, 10.1, 10.5, 10.7
High
7.5
3080106 [CVE-2021-40503] Information Disclosure in SAP GUI for Windows
Product - SAP GUI for Windows, Versions - < 7.60 PL13, 7.70 PL4
Medium
6.8
3104456 [CVE-2021-42062] Missing Authorization check in SAP ERP HCM
Product - SAP ERP HCM Portugal, Versions - 600, 604, 608
Medium
6.5
3068582 Update to Security Note released on September 2021 Patch Day:[CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR
Product - SAP ERP Financial Accounting (RFOPENPOSTING_FR) , Versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105 
Medium
5.4
3105728 [CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
Medium
4.9

Source

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Next-Gen Application Security for SAP

Join roundtable delegates who will discuss the challenges, solutions, and their experiences in simplifying security and combining it across the network and the SAP application, to introduce a shift in paradigm for SAP customers.
SAP-Security-Operations-Map
The SAP Secure Operations Map is part of the security recommendations published by SAP and has been revised several times over the years. While this is well known to SAP security experts, much fewer people in Information Security are familiar with it.
SAP Patchday
November has come and the days in Germany are getting shorter and colder. No reason for the SAP Security and Response team not to continue their monthly practice. Looking at today's publication of SAP Security Patch Day, we luckily find only 1 Hot News and 2 High priority corrections.
SAP Patchday
Like every second Tuesday of the month, it’s again SAP Patch day! Today, 12th October 2021, SAP again released security patches for its vast product portfolio.