SAP Security Notes - April 2021 - Safe O'Clock

SAP Security Notes – April 2021

April 12, 2021

On the 12th of April 2021, SAP Security Patch Day saw the release of 20 new Security Notes.

There was 1 update to previously released Patch Day Security Notes.

Notes by severity

HotNews 5
Correction with high priority 3
Correction with medium priority 12
Correction with low priority 1

Highlights

On April Patch Day SAP presents 8 high-severity Notes with 5 of them rated as HotNews.

Usual update of a 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today – an update of the Note released on August 2018. Another Security Note 3022622Code injection vulnerability in SAP Manufacturing Integration and Intelligence (CVSS Score of 9.1), was updated from March: 3158613 Security Note now could be used as the complete fix to implement.

Remote Code Execution vulnerability in SAP HANA Extended Application Services was explained in 3189428 Security Note – Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services (CVSS Score of 9.8).

3170990 Security Note – Central Security Note for Remote Code Execution vulnerability associated with Spring Framework (CVSS Score of 9.8) – may be considered as central Note for Remote Code Execution vulnerability associated with Spring Framework. It is expected that this note will be updated with additional components.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-XS-SEC 3189428 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
XX-SER-SN 3170990 [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MFG-MII 3158613 Update 1 to Security Note 3022622 - [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
MFG-MII 3022622 [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BI-BIP-CMC 3130497 [CVE-2022-27671] CSRF token visible in one of the URL in SAP Business Intelligence Platform. high 8.2 CVSS:/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H
BC-CST-WDP 3111311 [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CEC-COM-CPS 3155609 Privilege escalation vulnerability in Apache Tomcat server component of SAP Commerce high 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-ADM 3137191 [CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform HotNews 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
EP-PIN-WPC 3148377 [CVE-2022-28217] Missing XML Validation vulnerability in SAP NW EP WPC medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
BC-SYB-SQA 3148094 [CVE-2022-27670] Denial of service (DOS) in SQL Anywhere medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CA-VE-VEV 3143437 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer medium 6.5 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
EP-PIN-PRT 3163583 [CVE-2022-26105] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-DEV-WEB 3055044 [CVE-2022-28213] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (dswsbobje - SOAP Web services) medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
BC-ILM-DAS 3152442 [CVE-2022-27669] Missing Authentication check in XML Data Archiving Service medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-CST-WDP 3111293 [CVE-2022-28773] Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) medium 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
BI-BIP-BIW 3150845 [CVE-2022-28216] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace) medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
XX-PART-ADB-IFM 3138299 [CVE-2021-44832] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) medium 4.1 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
SV-FRN-INF-SDA 3159091 [CVE-2022-27657] Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0) low 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – May 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. There were […]

Read more
SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK