August 11, 2021

SAP Security Patch Day – August 2021

Tuesday the 10th of August was blocked in our calendars as the next monthly SAP Security Patch Day. It is important to review these security updates regularly, to ensure that no critical vulnerability remains unpatched. The SAP Patch Day of August 2021 has seen 14 (see List) new SAP security patches. One previously released correction has been updated too.

Highlights

SAP has provided patches for the following vulnerability types in August:
– Cross-Site Scripting (XSS)
– SQL Injection
– Unrestricted File Upload
– Server-Side Request Forgery (SSRF)
– Task Hijacking
– Missing Authentication check
– URL Redirection vulnerability
– Reverse Tabnabbing

In August the number of patches did not rise compared to last month. The distribution of Security Notes priorities increased significantly. There are 8 corrections with priority High and Hot News (Very High). In 2021, we only saw a similar distribution in the SAP Security Patch Day of April.

While reviewing the released security patches, one realizes that the SAP NetWeaver Enterprise Portal has made a hat-trick. Three corrections with a priority high, ranging from CVSS 8.1 to 8.3 have been published.

Besides the SAP NetWeaver Enterprise Portal, also the SAP Business One has received special attention, with three new corrections ranging from CVSS 6.3 to 9.9. An unrestricted file upload vulnerability with Hot News (CVSS 9.9) has been identified and resolved with 3071984. The correction lists specific SP and hotfix level that customers running SAP Business One need to update. Alternatively, a temporary workaround was provided.

If you are using the DMIS Mobile Plug-In or SAP S/4HANA products, correction 3078312 requires your attention. The resolution should be fast and easy since implementation can be done via transaction SNOTE.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The August release contains a total of 15 patches for the following severities:

Severity	Number
Hot News	3
High	5
Medium	7

Note	Description	Severity	CVSS
3071984	[CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One Product - SAP Business One, Version - 10.0	Hot News	9.9
3072955	[CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) Product - SAP NetWeaver Development Infrastructure (Component Build Service), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50	Hot News	9.9
3078312	[CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation Product - DMIS Mobile Plug-In, Versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020 Product - SAP S/4HANA, Versions - SAPSCORE 125, S4CORE 102, 102, 103, 104, 105	Hot News	9.1
3073681	[CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50	High	8.3
3072920	[CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal (Application Extensions), Versions - 7.30, 7.31, 7.40, 7.50	High	8.3
3074844	[CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50	High	8.1
3067219	[CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android Product - SAP Fiori Client Native Mobile for Android, Version - 3.2	High	7.6
3073325	[CVE-2021-33700] Missing Authentication check in SAP Business One Product - SAP Business One, Version - 10.0	High	7
3073450	[CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service) Product - SAP NetWeaver Development Infrastructure (Notification Service), Versions - 7.31, 7.40, 7.50	Medium	6.9
3058553	[CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud ConnectorAdditional CVEs - CVE-2021-33694, CVE-2021-33693, CVE-2021-33692 Product - SAP Cloud Connector, Version - 2.0	Medium	6.8
3078072	[CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer) Product - SAP Business One, Version - 10.0	Medium	6.3
3002517	Update to Security Note release on June 2021 Patch Day:[CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755	Medium	6.3
3076399	[CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management) Product - SAP NetWeaver (Knowledge Management), Versions - 7.30, 7.31, 7.40, 7.50	Medium	6.1
3062085	[CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report) Product - SAP BusinessObjects Business Intelligence Platform (Crystal Report), Versions - 420, 430	Medium	5.4
3063048	[CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5) Product - SAP BusinessObjects Business Intelligence Platform (SAPUI5), Versions - 420, 430	Medium	4.7

Source

Posted by

Christoph Nagy

#patch #sapsecurity