SAP Security Notes - August 2021 - Safe O'Clock

SAP Security Notes – August 2021

August 10, 2021

On the 10th of August 2021, SAP Security Patch Day saw the release of 14 new Security Notes.

There was 1 update to previously released Patch Day Security Notes.

Notes by severity

HotNews 3
Correction with high priority 5
Correction with medium priority 7

Highlights

On August Patch Day SAP presents 8 high-severity Security Notes with 3 rated as HotNews.

Starting with two Security Notes with a high CVSS Score of 9.9 each, 3072955Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) and Note 3071984Unrestricted File Upload vulnerability in SAP Business One.

Security Note 3072955 describes the possibility for the potential attacker to send crafted queries to limit server availability and affect its data. It is noted, that a threat is measured differently whether the infrastructure has internet-dependant operations or not. SAP Business One systems are threatened by uploading unchecked files for further malicious execution if we are talking about the symptoms describing 3071984 Note vulnerability. The vast majority of SAP users use this system, so we strongly advise you to get familiar with the presented solution.

To continue the talk about SAP Business One security: 3073325, Missing Authentication check in SAP Business One Note with CVSS Score of 7.0, covers the possibility of a local attacker getting non-authorised access to an application.

Another HotNews for today is SQL Injection vulnerability in SAP NZDT Row Count Reconciliation explained in 3078312 Security Note, noted with a CVSS Score of 9.1. The Backend Database could be accessed through DMIS Mobile or S/4 HANA using the account with high enough privileges and executing pre-configured queries in NZDT tool. Solution steps and presented workarounds cover this issue.

In the several, highly rated Security Notes, SAP team draws attention to different SAP NetWeaver Enterprise Portal vulnerabilities. Notes 3073681, 3072920 and 3074844 describe the exposure to Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) on different versions of the SAP Enterprise Portal and its application extensions. CVSS Score of these Notes is 8.3, 8.3 and 8.1 correspondingly.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
SBO-CRO-SEC 3071984 [CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-CTS-CBS-SRV 3072955 [CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-UPG-NZ 3078312 [CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EP-PIN-NAV 3073681 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal high 8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EP-PIN-NAV 3072920 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal high 8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EP-PIN-URL-UIV 3074844 [CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal high 8.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
MOB-FC 3067219 [CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android high 7.6 CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
SBO-CRO-SEC 3073325 [CVE-2021-33700] Missing Authentication check in SAP Business One high 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
BC-CTS-DI 3073450 [CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service) medium 6.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
BC-MID-SCC 3058553 [CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud Connector medium 6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SBO-CRO-SEC 3078072 [CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer) medium 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
BC-SRV-RM 3002517 [CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform medium 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EP-KM-CM 3076399 [CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-RA-CR-VW 3062085 [CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BI-BIP-INV 3063048 [CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5) medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK