Skip to content

SAP Security Patch Day – November 2021

SAP security Patch day

November has come and the days in Germany are getting shorter and colder. No reason for the SAP Security and Response team not to continue their monthly patching practice! Looking at today’s publication of SAP Security Patch Day, we luckily find only 1 Hot News and 2 High priority corrections.

The month of November 2021 has seen a total of 7 published Security Patches by the SAP Security Response team. Regular visitors of our Dashboard know that this is only half the number of notes we see on average. 

This is good news for all SAP customers that execute regular patching to eliminate known vulnerabilities within the SAP product portfolio. Reviewing, validating and applying monthly SAP security corrections can be a tedious task. A low number of SAP patches published in November does reduce manual efforts. Any time gained can be invested into other security-relevant areas such as custom code security or hardening of the SAP environement.

Highlights

A specific highlight of the November SAP Security Patch Day is the correction in Note 3099776. The patch resolves a severe vulnerability in the trusting RFC technology stack that allows an attacker to gain elevated rights. Customers need to upgrade their Kernel version to resolve the issue. The SAP team also recommends making use of the suggested Update Strategy for the Kernel of the Application Server ABAP in On-Premise Landscapes.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The November release contains a total of 7 patches for the following severities:

Severity Number
Hot News
1
High
2
Medium
4
Note Description Severity CVSS
3099776 [CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel
Product - SAP ABAP Platform Kernel, Versions - 7.77, 7.81, 7.85, 7.86
Hot News
9.6
3110328 [CVE-2021-40502] Missing Authorization check in SAP Commerce
Product - SAP Commerce, Versions - 2105.3, 2011.13, 2005.18, 1905.34
High
8.3
2971638 Update to Security Note released on October 2020 Patch Day:[CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP FocusedProduct- CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run), Versions - 9.7, 10.1, 10.5, 10.7
High
7.5
3080106 [CVE-2021-40503] Information Disclosure in SAP GUI for Windows
Product - SAP GUI for Windows, Versions - < 7.60 PL13, 7.70 PL4
Medium
6.8
3104456 [CVE-2021-42062] Missing Authorization check in SAP ERP HCM
Product - SAP ERP HCM Portugal, Versions - 600, 604, 608
Medium
6.5
3068582 Update to Security Note released on September 2021 Patch Day:[CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR
Product - SAP ERP Financial Accounting (RFOPENPOSTING_FR) , Versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105 
Medium
5.4
3105728 [CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
Medium
4.9

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

Mastering NIST & CISA Compliance for SAP

Join us for an enlightening webinar where we simplify these regulatory frameworks, map CISA guidelines to SAP instances, and showcase how the SecurityBridge platform can assist you in achieving your SAP compliance needs.
SAP vulnerability
SAP Vulnerability
As we know, SAP (Systems, Applications, and Products in Data Processing) is a widely used enterprise resource planning (ERP) software suite that helps organizations manage various business operations. No digital system is secure by nature or by default - there will always be security challenges, and SAP is no exception. In this article, we discuss the Top 10 vulnerabilities in SAP – how they affect the security of an SAP system, and finally, how to identify and manage them with SecurityBridge.
SAP security Patch day
Today, September 12th, 2023 brings the release of SAP Security Patches for the extensive enterprise application portfolio developed by the Walldorf giant. SAP released 13 new Security Notes and provided 5 updates to previously released Security Notes.
Leadership team
SecurityBridge, a leading provider of cybersecurity solutions for SAP customers, acquired Dutch SAP security specialist Protect4S. Through the acquisition, customers will benefit from an even more comprehensive one-stop-shop software platform that will improve every SAP customer’s security position across all technology stacks.