SAP releases March 2021 security updates
Tuesday 9th March SAP released a total of 14 new and updated security notes. Four of them have the highest Hot News severity ratings.
Two Hot News notes rated CVSS 10.0 are not as critical as they might seem:
One is an old well-known security note that has been updated regularly over the past months – Security updates for the browser control Google Chromium delivered with SAP Business Client (Note #2622660).
Missing Authentication Check in SAP Solution Manager (Note #2890213) has also been updated. It is recommended to implement this patch as soon as possible as the missing authorization check in SAP Solution Manager has been fixed.
The one of the discussed vulnerabilities with a CVSS rating of 9.9 out of 10 is SAP MII Code Injection Vulnerability (CVE-2021-21480). Versions 15.1, 15.2, 15.3, and 15.4 are affected. SAP MII is a Java-based SAP NetWeaver AS platform that provides real-time production monitoring and rich data analysis tools. The flaw stems from a SAP MII component called Self-Service Composition Environment (SSCE), which is used to design dashboards for real-time data analysis. These dashboards can be saved as a Java Server Pages (JSP) file. However, an attacker can remotely intercept a JSP request to the server, inject malicious code into it, and then forward it to the server.
Another SAP HotNews # 3022422, (CVE-2021-21481), with a CVSS score of 9.6, fixed missing authorization check in SAP NetWeaver AS Java Migration Service. Failure to verify authorization could allow an unauthorized attacker to gain administrative privileges. This can lead to a complete violation of the confidentiality, integrity and availability of the system.
SAP completes acquisition of Signavio
The companies announced the deal in February and completed the deal in early March. SAP said the acquisition will be used to support a new business transformation solution that moves more systems to the cloud to make businesses more resilient. Signavio process control technology is a cloud-based solution. Signavio products become part of the SAP Business Process Analytics portfolio and complement the SAP End-to-End Process Transformation portfolio.
New SAP Fieldglass Assignment Management is available
SAP announced the general availability of a new SAP Fieldglass Assignment Management solution that enables organizations in resource-intensive industries (oil and gas, chemical, utilities) to manage the execution and accounting of day-to-day equipment maintenance activities performed by external workers. The new solution enables organizations to track and manage onsite contracting assignments, from an issued maintenance order and an approved individual or general purchase order to an automatically generated vendor invoice.
SAP and Accenture launch Sustainable Future accelerator program
SAP and Accenture are launching a global acceleration program focused on sustainability to enable 13 startups from different industries to improve their positive impact on both the industry and society. Sustainable Future is a zero-equity program aimed at promoting digital transformation and innovation for corporate startups in four focus areas, including carbon tracking and trading, resource efficiency, tracking and mitigating climate risks, and circular economy. Startups will receive curated mentoring, access to SAP technology and application programming interfaces (APIs), and interact with SAP and Accenture customers to develop compelling proofs of concept. The accelerator program will last three months and will conclude with a demo day on July 8, 2021.