Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – October 2021

SAP security Patch day

Like every second Tuesday of the month, it’s again SAP Patch day! Today, 12th October 2021, SAP again released security patches for its vast product portfolio. This month the SAP security experts fixed 13 issues and 1 previously released patch received an update.

Highlights

SecurityBridge CTO, Ivan Mans identified and reported a vulnerability existing in the SAP software deployment system for which SAP today published Hot News correction 3097887, rated CVSS 9.1 [CVE-2021-38178]. The vulnerability exists in all SAP NetWeaver AS ABAP and ABAP Platform Versions starting from 700 up to 756.

Furthermore, the month of October introduced 2 more Hot News corrections and 1 with Priority High. Note 2622660 (CVSS 10.0) has been used to provide yet another security update for the Google Chromium engine used in the SAP Business Client.
With Note 3101406 a potential XML external Entity Injection Vulnerability in SAP Environmental Compliance Version 3.0 was fixed.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

Summary by Severity

The October release contains a total of 14 patches for the following severities:

Severity Number
Hot News
 3
High
 1
Medium
 10
Note Description Severity CVSS
2622660 Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business ClientProduct – SAP Business Client, Version – 6.5
HotNews
 10
3101406 Potential XML External Entity Injection Vulnerability in SAP Environmental ComplianceRelated CVEs - CVE-2020-10683, CVE-2021-23926
Product - SAP Environmental Compliance, Version - 3.0
HotNews
 9.8
3097887 [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756  
HotNews
 9.1
3077635 [CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices
Product - SAP SuccessFactors Mobile Application (for Android devices), Versions - <2108 < /td>
High
 7.8
3074693 [CVE-2021-40500] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Reports)
Product - SAP BusinessObjects Business Intelligence Platform (Crystal Reports), Versions - 420, 430
Medium
 6.9
3074819 [CVE-2021-38179] Information Disclosure in SAP Business One
Product - SAP Business One, Version - 10.0
Medium
 6.7
3079427 [CVE-2021-38180] CSV Injection in SAP Business One
Product - SAP Business One, Version - 10.0
Medium
 6.5
3080710 [CVE-2021-38181] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 
Medium
 6.5
3100882 [CVE-2021-40499] Code Injection vulnerability for SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)
Product - SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint), Versions - 7.70, 7.70 PI, 7.70BYD 
Medium
 6.4
3055347 Cross-Site Scripting (XSS) vulnerability in SAPUI5Related CVE - CVE-2020-11023
Product - SAPUI5, Versions - 750, 753, 754
Medium
 6.1
3084937 [CVE-2021-38183] Cross-Site Scripting (XSS) vulnerability in cms Service of SAP NetWeaver
Product - SAP NetWeaver, Versions - 700, 701, 702, 730 
Medium
 5.4
3099011 [CVE-2021-40495] Denial of Service (DOS) in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 740, 750, 751, 752, 753, 754, 755 
Medium
 5.3
3098917 [CVE-2021-40497] Information Disclosure in SAP BusinessObjects Analysis (edition for OLAP)
Product - SAP BusinessObjects Analysis, (edition for OLAP), Versions - 420, 430
Medium
 4.3
3087254 [CVE-2021-40496] Improper Access Control in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785 
Medium
 4.3

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for Sept'21
White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
DSAG Jahreskongress 2023

DSAG-Jahreskongress 2023

Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem. Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen. Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.
Learn more
SAP security Patch day

SAP Security Patch Day – May 2023

SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability

SAP ABAP Directory Traversal Vulnerability: Risks and Solutions

SAP Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.
we are hiring - career page

Sales Representative – US Market (Software Sales, SAP Security, Cybersecurity)

Open Position
SecurityBridge is a leading provider of cutting-edge cybersecurity for SAP, catering to businesses of all sizes. We are expanding our operation to the US market and are looking for an experienced Sales Representative to join our team. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, and cybersecurity.