SAP Security Notes - August 2021 - Safe O'Clock

SAP Security Notes – August 2021

August 10, 2021

On the 10th of August 2021, SAP Security Patch Day saw the release of 14 new Security Notes.

There was 1 update to previously released Patch Day Security Notes.

Notes by severity

HotNews 3
Correction with high priority 5
Correction with medium priority 7

Highlights

On August Patch Day SAP presents 8 high-severity Security Notes with 3 rated as HotNews.

Starting with two Security Notes with a high CVSS Score of 9.9 each, 3072955Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) and Note 3071984Unrestricted File Upload vulnerability in SAP Business One.

Security Note 3072955 describes the possibility for the potential attacker to send crafted queries to limit server availability and affect its data. It is noted, that a threat is measured differently whether the infrastructure has internet-dependant operations or not. SAP Business One systems are threatened by uploading unchecked files for further malicious execution if we are talking about the symptoms describing 3071984 Note vulnerability. The vast majority of SAP users use this system, so we strongly advise you to get familiar with the presented solution.

To continue the talk about SAP Business One security: 3073325, Missing Authentication check in SAP Business One Note with CVSS Score of 7.0, covers the possibility of a local attacker getting non-authorised access to an application.

Another HotNews for today is SQL Injection vulnerability in SAP NZDT Row Count Reconciliation explained in 3078312 Security Note, noted with a CVSS Score of 9.1. The Backend Database could be accessed through DMIS Mobile or S/4 HANA using the account with high enough privileges and executing pre-configured queries in NZDT tool. Solution steps and presented workarounds cover this issue.

In the several, highly rated Security Notes, SAP team draws attention to different SAP NetWeaver Enterprise Portal vulnerabilities. Notes 3073681, 3072920 and 3074844 describe the exposure to Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) on different versions of the SAP Enterprise Portal and its application extensions. CVSS Score of these Notes is 8.3, 8.3 and 8.1 correspondingly.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
SBO-CRO-SEC 3071984 [CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-CTS-CBS-SRV 3072955 [CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-UPG-NZ 3078312 [CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation 9.1 HotNews CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EP-PIN-NAV 3073681 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal 8.3 Correction with high priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EP-PIN-NAV 3072920 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal 8.3 Correction with high priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EP-PIN-URL-UIV 3074844 [CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal 8.1 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
MOB-FC 3067219 [CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android 7.6 Correction with high priority CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
SBO-CRO-SEC 3073325 [CVE-2021-33700] Missing Authentication check in SAP Business One 7.0 Correction with high priority CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
BC-CTS-DI 3073450 [CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service) 6.9 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
BC-MID-SCC 3058553 [CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud Connector 6.8 Correction with medium priority CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SBO-CRO-SEC 3078072 [CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer) 6.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
BC-SRV-RM 3002517 [CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform 6.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EP-KM-CM 3076399 [CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management) 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-RA-CR-VW 3062085 [CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report) 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BI-BIP-INV 3063048 [CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5) 4.7 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

 

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK