Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – November 2021

SAP security Patch day

November has come and the days in Germany are getting shorter and colder. No reason for the SAP Security and Response team not to continue their monthly patching practice! Looking at today’s publication of SAP Security Patch Day, we luckily find only 1 Hot News and 2 High priority corrections.

The month of November 2021 has seen a total of 7 published Security Patches by the SAP Security Response team. Regular visitors of our Dashboard know that this is only half the number of notes we see on average. 

This is good news for all SAP customers that execute regular patching to eliminate known vulnerabilities within the SAP product portfolio. Reviewing, validating and applying monthly SAP security corrections can be a tedious task. A low number of SAP patches published in November does reduce manual efforts. Any time gained can be invested into other security-relevant areas such as custom code security or hardening of the SAP environement.

Highlights

A specific highlight of the November SAP Security Patch Day is the correction in Note 3099776. The patch resolves a severe vulnerability in the trusting RFC technology stack that allows an attacker to gain elevated rights. Customers need to upgrade their Kernel version to resolve the issue. The SAP team also recommends making use of the suggested Update Strategy for the Kernel of the Application Server ABAP in On-Premise Landscapes.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

Summary by Severity

The November release contains a total of 7 patches for the following severities:

SeverityNumber
Hot News
1
High
2
Medium
4
NoteDescriptionSeverityCVSS
3099776 [CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel
Product - SAP ABAP Platform Kernel, Versions - 7.77, 7.81, 7.85, 7.86
Hot News
9.6
3110328 [CVE-2021-40502] Missing Authorization check in SAP Commerce
Product - SAP Commerce, Versions - 2105.3, 2011.13, 2005.18, 1905.34
High
8.3
2971638 Update to Security Note released on October 2020 Patch Day:[CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP FocusedProduct- CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run), Versions - 9.7, 10.1, 10.5, 10.7
High
7.5
3080106 [CVE-2021-40503] Information Disclosure in SAP GUI for Windows
Product - SAP GUI for Windows, Versions - < 7.60 PL13, 7.70 PL4
Medium
6.8
3104456 [CVE-2021-42062] Missing Authorization check in SAP ERP HCM
Product - SAP ERP HCM Portugal, Versions - 600, 604, 608
Medium
6.5
3068582 Update to Security Note released on September 2021 Patch Day:[CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR
Product - SAP ERP Financial Accounting (RFOPENPOSTING_FR) , Versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105 
Medium
5.4
3105728 [CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
Medium
4.9

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for Oct'21
White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
Security Automation Webinar

Security Automation: The Need for a Last Line of Defense

Join our upcoming webinar session on Security Automation with special guests from SecurityBridge and discover how you can automate your SAP security and compliance processes to improve your security posture and implement a last line of defence for your mission-critical SAP landscape.
Learn more
Senior SAP Developer Singapore

Senior SAP Developer (ABAP/4 and SAPUI5 Fiori) – Singapore

Careers
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.

Countering Data Breaches – An Urgent Call for Action

SAP Cybersecurity
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst

Financial Controller

Careers
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.