Skip to content

SAP Security Patch Day – November 2021

SAP security Patch day

November has come and the days in Germany are getting shorter and colder. No reason for the SAP Security and Response team not to continue their monthly patching practice! Looking at today’s publication of SAP Security Patch Day, we luckily find only 1 Hot News and 2 High priority corrections.

The month of November 2021 has seen a total of 7 published Security Patches by the SAP Security Response team. Regular visitors of our Dashboard know that this is only half the number of notes we see on average. 

This is good news for all SAP customers that execute regular patching to eliminate known vulnerabilities within the SAP product portfolio. Reviewing, validating and applying monthly SAP security corrections can be a tedious task. A low number of SAP patches published in November does reduce manual efforts. Any time gained can be invested into other security-relevant areas such as custom code security or hardening of the SAP environement.

Highlights

A specific highlight of the November SAP Security Patch Day is the correction in Note 3099776. The patch resolves a severe vulnerability in the trusting RFC technology stack that allows an attacker to gain elevated rights. Customers need to upgrade their Kernel version to resolve the issue. The SAP team also recommends making use of the suggested Update Strategy for the Kernel of the Application Server ABAP in On-Premise Landscapes.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The November release contains a total of 7 patches for the following severities:

SeverityNumber
Hot News
1
High
2
Medium
4
NoteDescriptionSeverityCVSS
3099776 [CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel
Product - SAP ABAP Platform Kernel, Versions - 7.77, 7.81, 7.85, 7.86
Hot News
9.6
3110328 [CVE-2021-40502] Missing Authorization check in SAP Commerce
Product - SAP Commerce, Versions - 2105.3, 2011.13, 2005.18, 1905.34
High
8.3
2971638 Update to Security Note released on October 2020 Patch Day:[CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP FocusedProduct- CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run), Versions - 9.7, 10.1, 10.5, 10.7
High
7.5
3080106 [CVE-2021-40503] Information Disclosure in SAP GUI for Windows
Product - SAP GUI for Windows, Versions - < 7.60 PL13, 7.70 PL4
Medium
6.8
3104456 [CVE-2021-42062] Missing Authorization check in SAP ERP HCM
Product - SAP ERP HCM Portugal, Versions - 600, 604, 608
Medium
6.5
3068582 Update to Security Note released on September 2021 Patch Day:[CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR
Product - SAP ERP Financial Accounting (RFOPENPOSTING_FR) , Versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105 
Medium
5.4
3105728 [CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
Medium
4.9

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Which cybersecurity framework is the best fit for SAP application security?” to learn more about the available frameworks, the challenges when adopting a framework, and more.

SecurityBridge at the DSAG Technologietage 2023

SecurityBridge will be attending the DSAG Technologietage 2023 from March 22nd-23rd at the Congress Center Rosengarten in Mannheim.
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.