On the 10th of August 2021, SAP Security Patch Day saw the release of 14 new Security Notes.
There was 1 update to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 3 |
| Correction with high priority | 5 |
| Correction with medium priority | 7 |
Highlights
On August Patch Day SAP presents 8 high-severity Security Notes with 3 rated as HotNews.
Starting with two Security Notes with a high CVSS Score of 9.9 each, 3072955 – Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) and Note 3071984 – Unrestricted File Upload vulnerability in SAP Business One.
Security Note 3072955 describes the possibility for the potential attacker to send crafted queries to limit server availability and affect its data. It is noted, that a threat is measured differently whether the infrastructure has internet-dependant operations or not. SAP Business One systems are threatened by uploading unchecked files for further malicious execution if we are talking about the symptoms describing 3071984 Note vulnerability. The vast majority of SAP users use this system, so we strongly advise you to get familiar with the presented solution.
To continue the talk about SAP Business One security: 3073325, Missing Authentication check in SAP Business One Note with CVSS Score of 7.0, covers the possibility of a local attacker getting non-authorised access to an application.
Another HotNews for today is SQL Injection vulnerability in SAP NZDT Row Count Reconciliation explained in 3078312 Security Note, noted with a CVSS Score of 9.1. The Backend Database could be accessed through DMIS Mobile or S/4 HANA using the account with high enough privileges and executing pre-configured queries in NZDT tool. Solution steps and presented workarounds cover this issue.
In the several, highly rated Security Notes, SAP team draws attention to different SAP NetWeaver Enterprise Portal vulnerabilities. Notes 3073681, 3072920 and 3074844 describe the exposure to Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) on different versions of the SAP Enterprise Portal and its application extensions. CVSS Score of these Notes is 8.3, 8.3 and 8.1 correspondingly.
Summary
| SAP Component | Number | Title | CVSS Score | Priority | CVSS Vector |
| SBO-CRO-SEC | 3071984 | [CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One | 9.9 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| BC-CTS-CBS-SRV | 3072955 | [CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) | 9.9 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| BC-UPG-NZ | 3078312 | [CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation | 9.1 | HotNews | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| EP-PIN-NAV | 3073681 | [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | 8.3 | Correction with high priority | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
| EP-PIN-NAV | 3072920 | [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | 8.3 | Correction with high priority | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
| EP-PIN-URL-UIV | 3074844 | [CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal | 8.1 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| MOB-FC | 3067219 | [CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android | 7.6 | Correction with high priority | CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L |
| SBO-CRO-SEC | 3073325 | [CVE-2021-33700] Missing Authentication check in SAP Business One | 7.0 | Correction with high priority | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| BC-CTS-DI | 3073450 | [CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service) | 6.9 | Correction with medium priority | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N |
| BC-MID-SCC | 3058553 | [CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud Connector | 6.8 | Correction with medium priority | CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| SBO-CRO-SEC | 3078072 | [CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer) | 6.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| BC-SRV-RM | 3002517 | [CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform | 6.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| EP-KM-CM | 3076399 | [CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management) | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BI-RA-CR-VW | 3062085 | [CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report) | 5.4 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| BI-BIP-INV | 3063048 | [CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5) | 4.7 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
