SAP Security Patch Day – September 2021
The sleeping giant awakes from the summer break. The 14th of September marks another SAP Security Patch Day release in our calendars. In benchmark with other SAP Patch Days in the past of 2021, the September Patch Day stands out with its number of HotNews corrections. We count 7 SAP Security Notes with severity HotNews, out of which two have received an update from a previous Patch Day.
Attackers seek for loopholes to introduce malicious content such as ransomware. The recent article “Demystify ransomware in the context of SAP“, explains the situation. In today’s Patch Day SAP releases a severe correction for the SAP NetWeaver Visual Composer 7.0. The SAP component received a correction that prevents attackers from uploading malicious contents and even executable files.
The new security patch carrying the note number 3078609 received a CVSS of 10.0 and resolves a severe vulnerability in Java / JMS Connector Service. Threat actors may gain access to restricted areas and could be able to read, change or delete data.
Another heavily used component has received a patch (#3089831), the SAP NZDT Mapping Table Framework, which is unpatched, allows a SQL injection in recent versions of SAP S/4HANA. If you haven’t had the time to look at Patch 3078312 (SQL Injection vulnerability in SAP NZDT Row Count Reconciliation) released in August 2021, it may be worth combining the patch installation to resolve to HotNews issues.
The SAP Security Experts in Walldorf have provided corrections for the following vulnerability types in September:
– Code Injection
– Cross-Site Scripting (XSS)
– Information Disclosure
– Missing Authorization Check
– OS Command Injection
– SQL Injection
– Unrestricted File Upload
Summary by Severity
The September release contains a total of 19 patches for the following severities: