SAP Security Notes - February 2021 - Safe O'Clock

SAP Security Notes – February 2021

February 9, 2021

On the 9th of February 2021, SAP Security Patch Day saw the release of 7 new Security Notes.

There were 6 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 3
Correction with high priority 2
Correction with medium priority 8
Correction with low priority 0

Highlights

On February Patch Day SAP presents 5 high-severity Notes with 3 of them rated as HotNews.

For a start, 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client, with a CVSS Score of 10, is a classic addition for Google Chromium to the most updated lists of SAP Patch Days.

Security Note 3014121Remote Code Execution vulnerability in SAP Commerce, with a CVSS Score of 9.9, introduce us to the way how the underlying host could be compromised by the attacker.

SAP Business Warehouse systems receive the update from the last month that is listed in 2986980 Security Note with a CVSS Score of 9.9. The note was enhanced to BW releases from BW 7.0x.

SAP NetWeaver AS ABAP has obtained two Security Notes with high priority: Note 2993132Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) and Note 3000306Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform, with a CVSS Score of 7.6 and 7.5 correspondingly.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10.0 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CEC-COM-CPS-CKP 3014121 [CVE-2021-21477] Remote Code Execution vulnerability in SAP Commerce 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BW-WHM-DST-DBC 2986980 [CVE-2021-21465] Multiple vulnerabilities in SAP Business Warehouse (Database Interface) 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CA-DT-CNV 2993132 [CVE-2020-26832] Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) 7.6 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H
BC-ABA-LA 3000306 [CVE-2021-21446] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform 7.5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MDM-FN-INS 2998173 [CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data Management 7.1 6.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
BC-XI-CON-JPR 2789866 [CVE-2019-0337]Cross-Site Scripting (XSS) vulnerability in Java Proxy Runtime of SAP NetWeaver Process Integration 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-BIP-CMC 2935791 [CVE-2021-21444] Clickjacking vulnerability in SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CA-UI5-COR 3014303 [CVE-2021-21476] Reverse Tabnabbing vulnerability in SAPUI5 4.7 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
BC-WD-ABA 2974582 [CVE-2021-21478] Reverse Tabnabbing vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) 4.7 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CA-UI5-DLV 2843016 [CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
HAN-DB-SEC 2992154 [CVE-2021-21474] SAML Assertion Signature MD5 Digest Algorithm Vulnerability in SAP HANA Database 4.1 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
MDM-FN-MDS-SEC 3000897 [CVE-2021-21475] Directory Traversal vulnerability in SAP NetWeaver Master Data Management 7.1 4.0 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK