Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – September 2021

SAP security Patch day

The sleeping giant awakes from the summer break. The 14th of September marks another SAP Security Patch Day release in our calendars. In benchmark with other SAP Patch Days in the past of 2021, the September Patch Day stands out with its number of HotNews corrections. We count 7 SAP Security Notes with severity HotNews, out of which two have received an update from a previous Patch Day.

Highlights

Attackers seek for loopholes to introduce malicious content such as ransomware. The recent article “Demystify ransomware in the context of SAP“, explains the situation. In today’s Patch Day SAP releases a severe correction for the SAP NetWeaver Visual Composer 7.0. The SAP component received a correction that prevents attackers from uploading malicious contents and even executable files.

The new security patch carrying the note number 3078609 received a CVSS of 10.0 and resolves a severe vulnerability in Java / JMS Connector Service. Threat actors may gain access to restricted areas and could be able to read, change or delete data.

Another heavily used component has received a patch (#3089831), the SAP NZDT Mapping Table Framework, which is unpatched, allows a SQL injection in recent versions of SAP S/4HANA. If you haven’t had the time to look at Patch 3078312 (SQL Injection vulnerability in SAP NZDT Row Count Reconciliation) released in August 2021, it may be worth combining the patch installation to resolve to HotNews issues.

The SAP Security Experts in Walldorf have provided corrections for the following vulnerability types in September:
– Code Injection
– Cross-Site Scripting (XSS)
– Information Disclosure
– Missing Authorization Check
– OS Command Injection
– SQL Injection
– Unrestricted File Upload

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

Summary by Severity

The September release contains a total of 19 patches for the following severities:

Severity Number
Hot News
 7
High
 2
Medium
 10
Note Description Severity CVSS
2622660 Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business ClientProduct – SAP Business Client, Version – 6.5
HotNews
 10
3078609 [CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)
Product - SAP NetWeaver Application Server Java (JMS Connector Service) , Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
HotNews
 10
3071984 Update to Security Note released on August 2021 Patch Day:[CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One
Product - SAP Business One, Versions - 10.0
HotNews
 9.9
3089831 [CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework
Product - SAP S/4HANA, Versions - 1511, 1610, 1709, 1809, 1909, 2020, 2021
Product - SAP LT Replication Server, Versions - 2.0, 3.0 
Product - SAP LTRS for S/4HANA, Version - 1.0
Product - SAP Test Data Migration Server, Version - 4.0
Product - SAP Landscape Transformation, Version - 2.0
HotNews
 9.9
3084487 [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
Product - SAP NetWeaver (Visual Composer 7.0 RT) , Versions - 7.30, 7.31, 7.40, 7.50 
HotNews
 9.9
3081888 [CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms)
Product - SAP NetWeaver Knowledge Management XML Forms , Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50 
HotNews
 9.9
3073891 [CVE-2021-33672] Multiple vulnerabilities in SAP Contact CenterAdditional CVEs - CVE-2021-33673, CVE-2021-33674, CVE-2021-33675
Product - SAP Contact Center, Version - 700
HotNews
 9.6
3080567 [CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher
Product - SAP Web Dispatcher , Versions - WEBDISP - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 
High
 8.9
3051787 [CVE-2021-38177] Null Pointer Dereference vulnerability in SAP CommonCryptoLib
Product - SAP CommonCryptoLib , Versions - 8.5.38 or lower 
High
 7.5
3069032 [CVE-2021-33685] Directory Traversal vulnerability in SAP Business One
Product - SAP Business One, Versions - 10.0
Medium
 6.5
3082500 [CVE-2021-38175] Information Disclosure in SAP Analysis for Microsoft Office
Product - SAP Analysis for Microsoft Office , Version - 2.8 
Medium
 6.5
3060621 [CVE-2021-38150] Information disclosure in SAP Business Client
Product - SAP Business Client , Versions - 7.0, 7.70 
Medium
 6.1
3055180 [CVE-2021-33679] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace)
Product - SAP BusinessObjects Business Intelligence Platform (BI Workspace) , Version - 420 
Medium
 5.4
3068582 [CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR
Product - SAP ERP Financial Accounting (RFOPENPOSTING_FR) , Versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105 
Medium
 5.4
3070138 [CVE-2021-33686] Information Disclosure in SAP Business One
Product - SAP Business One, Version - 10.0
Medium
 5.3
3082219 [CVE-2021-21489] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium
 4.8
3069882 [CVE-2021-33688] SQL Injection vulnerability in SAP Business One
Product - SAP Business One, Version - 10.0
Medium
 4.3
3075546 [CVE-2021-37532] Directory Listing Enabled in SAP Business One
Product - SAP Business One, Version - 10.0
Medium
 4.3
3087791 [CVE-2021-38174] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Version - 9.0
Medium
 4.3

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for Aug'21
White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
DSAG Jahreskongress 2023

DSAG-Jahreskongress 2023

Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem. Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen. Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.
Learn more
SAP security Patch day

SAP Security Patch Day – May 2023

SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability

SAP ABAP Directory Traversal Vulnerability: Risks and Solutions

SAP Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.
we are hiring - career page

Sales Representative – US Market (Software Sales, SAP Security, Cybersecurity)

Open Position
SecurityBridge is a leading provider of cutting-edge cybersecurity for SAP, catering to businesses of all sizes. We are expanding our operation to the US market and are looking for an experienced Sales Representative to join our team. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, and cybersecurity.