SAP Security Notes - April 2021 - Safe O'Clock

SAP Security Notes – April 2021

April 12, 2021

On the 12th of April 2021, SAP Security Patch Day saw the release of 20 new Security Notes.

There was 1 update to previously released Patch Day Security Notes.

Notes by severity

HotNews 5
Correction with high priority 3
Correction with medium priority 12
Correction with low priority 1

Highlights

On April Patch Day SAP presents 8 high-severity Notes with 5 of them rated as HotNews.

Usual update of a 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today – an update of the Note released on August 2018. Another Security Note 3022622Code injection vulnerability in SAP Manufacturing Integration and Intelligence (CVSS Score of 9.1), was updated from March: 3158613 Security Note now could be used as the complete fix to implement.

Remote Code Execution vulnerability in SAP HANA Extended Application Services was explained in 3189428 Security Note – Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services (CVSS Score of 9.8).

3170990 Security Note – Central Security Note for Remote Code Execution vulnerability associated with Spring Framework (CVSS Score of 9.8) – may be considered as central Note for Remote Code Execution vulnerability associated with Spring Framework. It is expected that this note will be updated with additional components.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-XS-SEC 3189428 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services 9.8 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
XX-SER-SN 3170990 [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework 9.8 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MFG-MII 3158613 Update 1 to Security Note 3022622 – [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence 9.1 HotNews CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
MFG-MII 3022622 [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence 9.1 HotNews CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BI-BIP-CMC 3130497 [CVE-2022-27671] CSRF token visible in one of the URL in SAP Business Intelligence Platform. 8.2 Correction with high priority CVSS:/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H
BC-CST-WDP 3111311 [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) 7.5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CEC-COM-CPS 3155609 Privilege escalation vulnerability in Apache Tomcat server component of SAP Commerce 7 Correction with high priority CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-ADM 3137191 [CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform 6.8 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
EP-PIN-WPC 3148377 [CVE-2022-28217] Missing XML Validation vulnerability in SAP NW EP WPC 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
BC-SYB-SQA 3148094 [CVE-2022-27670] Denial of service (DOS) in SQL Anywhere 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CA-VE-VEV 3143437 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer 6.5 Correction with medium priority CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
EP-PIN-PRT 3163583 [CVE-2022-26105] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-DEV-WEB 3055044 [CVE-2022-28213] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (dswsbobje – SOAP Web services) 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
BC-ILM-DAS 3152442 [CVE-2022-27669] Missing Authentication check in XML Data Archiving Service 5.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-CST-WDP 3111293 [CVE-2022-28773] Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) 4.9 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
BI-BIP-BIW 3150845 [CVE-2022-28216] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace) 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
XX-PART-ADB-IFM 3138299 [CVE-2021-44832] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) 4.1 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
SV-FRN-INF-SDA 3159091 [CVE-2022-27657] Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0) 2.7 Correction with low priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

 

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK