Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – July 2021

SAP security Patch day

There are a few constants in life. For SAP professionals, one of these constants is the SAP Security Patch Day. Every second Tuesday of a month – yes 12 times a year – the SAP Security and Response team issues new or improved security patches.

On 13th of July 2021, SAP Security Patch Day saw the release of 14 Security Notes. There were 3 updates to previously released Security Notes.

Highlights

SAP has provided patches for the following vulnerability types in July:
– Code Injection
– Cross-Site Scripting
– Denial of Service
– Information Disclosure
– Missing Authorization Check
– Other

Luckily we only see two corrections with the priority “Hot News”. Both of them are updates to previously released patches.
1. Security updates for the browser control Google Chromium delivered with SAP Business Client (SNote 2622660). This note receives updates on a monthly basis and is to be reviewed regularly.

2. Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform (SNote 3007182). Notes were extended by a new version in the ‘Support Packages & Patches’ section.

New this month, is “Missing Authorization check in SAP NetWeaver Guided Procedures” (SNote 3059446),  relevant for all versions from 7.10 to 7.50, and comes with a CVSS 7.6 (High). If the Guided Procedures are not in use, the note suggests deactivating the feature in the Java System Properties as a workaround.

“Denial of Service (DoS) in SAP NetWeaver AS for Java (HTTP Service)” (SNote 3056652) provides a solution to prevent an attacker from crashing or flooding a vulnerable HTTP Service. For the resolution, customers need to update the AS Java Server with the provided service pack provided in “Support Packages & Patches” of the Note.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

Patch Management is key

Patch Management is a key pillar of any SAP security program. The latest SAP Security Patch Day again points out that implementing security patches requires dedicated capacity and specialized know-how. Departments are typically not overstaffed and thus work to the limit of their capacity. In consequence, it may happen basic security hygiene is left aside while other activities are ranked a higher priority. A dilemma, since installing security patches provides a high level of protection.

Read more about “Efficient SAP Patch Management” in our recent blog article.

Summary by Severity

The July release contains a total of 14 patches for the following severities:

SeverityNumber
Hot News
2
High
2
Medium
10
NoteDescriptionSeverityCVSS
2622660Update to Security Note released on August 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News
10
3007182Update to Security Note released on June 2021 Patch Day:[CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700,701,702,731,740,750,751,752,753,754,755,804  
Hot News
9
3059446[CVE-2021-33671] Missing Authorization check in SAP NetWeaver Guided Procedures
Product - SAP NetWeaver Guided Procedures (Administration Workset), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50
High
7.6
3056652[CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)
Product - SAP NetWeaver AS for Java (Http Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
High
7.5
3066316[CVE-2021-33676] Missing authorization check in SAP CRM ABAP
Product - SAP CRM, Versions - 700, 701, 702, 712, 713, 714
Medium
6.8
3036436Update to Security Note released on April 2021 Patch Day:[CVE-2021-27604] Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings)
Product - SAP Process Integration (Enterprise Service Repository JAVA Mappings), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium
6.5
3044754[CVE-2021-33677] Information Disclosure in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 702, 730, 731, 804, 740, 750, 784, DEV
Medium
6.5
3048657[CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework)
Product - SAP NetWeaver AS ABAP (Reconciliation Framework), Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F
Medium
6.5
3053403[CVE-2021-33682] Cross-Site Scripting (XSS) vulnerability in SAP Lumira Server
Product - SAP Lumira Server, Version - 2.4
Medium
5.4
3000663[CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager
Product - SAP Web Dispatcher and Internet Communication Manager, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83
Medium
5.4
3032624[CVE-2021-33684] Memory Corruption in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84
Medium
5.3
3059764[CVE-2021-33687] Information Disclosure in SAP NetWeaver AS for Java (Enterprise Portal)
Product - SAP NetWeaver AS JAVA (Enterprise Portal), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50
Medium
4.5
3044751[CVE-2021-33667] Information Disclosure in SAP Business Objects Web Intelligence (BI Launchpad)
Product - SAP Business Objects Web Intelligence (BI Launchpad), Versions - 420, 430
Medium
4.3
3067890[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise ViewerCVEs - CVE-2021-33681, CVE-2021-33680
Product - SAP 3D Visual Enterprise Viewer, Version - 9.0
Medium
4.3
3038594[CVE-2021-33689] Insufficient Logging in SAP NetWeaver AS for JAVA (Administrator)
Product - SAP NetWeaver AS JAVA (Administrator applications), Version - 7.50
Low
3.5

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for June'21
White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
Security Automation Webinar

Security Automation: The Need for a Last Line of Defense

Join our upcoming webinar session on Security Automation with special guests from SecurityBridge and discover how you can automate your SAP security and compliance processes to improve your security posture and implement a last line of defence for your mission-critical SAP landscape.
Learn more
Senior SAP Developer Singapore

Senior SAP Developer (ABAP/4 and SAPUI5 Fiori) – Singapore

Careers
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.

Countering Data Breaches – An Urgent Call for Action

SAP Cybersecurity
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst

Financial Controller

Careers
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.