SAP releases May 2021 security updates
Tuesday 11th May SAP released a total of 6 new and 5 updated security notes. Three of them have the highest Hot News severity ratings.
The three Hot News security notes are updates to previously released notes.
The first one is an update to Security Note released on August 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client. The vulnerability affects SAP Business Client version 6.5 and received a critical score of 10 on CVSS.
Two other updated notes with a CVSS score of 9.9 fix a Remote Code Execution vulnerability in Source Rules of SAP Commerce and a code injection vulnerability in Business Warehouse and BW/4HANA, respectively.
Three of the new security notes are high severity.
The two security notes [CVE-2021-27616]; [CVE-2021-27613] fix three vulnerabilities in SAP Business One. The first two flaws affect Business One for SAP HANA and can lead to code injection, allowing an attacker to take full control of the application, while the third affects Business One on SQL Server and could lead to salary disclosure.
The third high severity security note [CVE-2021-27611] addresses a code injection in NetWeaver AS ABAP that could allow an attacker with access to the local SAP system to read and overwrite data or launch a denial of service (DoS) attack.
New platform for SAP cloud services in Australia
SAP Critical Data Cloud is a new platform for SAP cloud services in Australia and New Zealand, designed to protect mission-critical business applications in government and highly regulated industries such as utilities, healthcare and financial services. The launch of the platform is scheduled for the second half of 2021. The new platform supports secure integration with other systems such as public cloud and specialized applications.
According to SAP the new platform is “a significant investment recognising the increased focus on improving whole-of-economy cybersecurity. The hardened platform provides customers the full functionality of SAP’s multi-tenanted cloud applications.”
Critical SAP applications under attack
Attackers are actively exploiting 6 vulnerabilities in mission-critical SAP applications. Exploitation of vulnerabilities can lead to sensitive data theft, financial fraud, disruption of service, and even the risk of malware injecting into an application, including ransomware. Between mid-2020 and April 2021, over 300 successful attacks exploiting flaws were recorded.
On April 6, 2021, SAP released an attack risk warning for organizations using SAP systems. The patches were released following a warning. Those who have not applied the patches are strongly advised to do so as soon as possible.