On the 9th of February 2021, SAP Security Patch Day saw the release of 7 new Security Notes.
There were 6 updates to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 3 |
| Correction with high priority | 2 |
| Correction with medium priority | 8 |
| Correction with low priority | 0 |
Highlights
On February Patch Day SAP presents 5 high-severity Notes with 3 of them rated as HotNews.
For a start, 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client, with a CVSS Score of 10, is a classic addition for Google Chromium to the most updated lists of SAP Patch Days.
Security Note 3014121 – Remote Code Execution vulnerability in SAP Commerce, with a CVSS Score of 9.9, introduce us to the way how the underlying host could be compromised by the attacker.
SAP Business Warehouse systems receive the update from the last month that is listed in 2986980 Security Note with a CVSS Score of 9.9. The note was enhanced to BW releases from BW 7.0x.
SAP NetWeaver AS ABAP has obtained two Security Notes with high priority: Note 2993132 – Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) and Note 3000306 – Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform, with a CVSS Score of 7.6 and 7.5 correspondingly.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CEC-COM-CPS-CKP | 3014121 | [CVE-2021-21477] Remote Code Execution vulnerability in SAP Commerce | HotNews |
9.9
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| BW-WHM-DST-DBC | 2986980 | [CVE-2021-21465] Multiple vulnerabilities in SAP Business Warehouse (Database Interface) | HotNews |
9.9
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CA-DT-CNV | 2993132 | [CVE-2020-26832] Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) | high |
7.6
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H |
| BC-ABA-LA | 3000306 | [CVE-2021-21446] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| MDM-FN-INS | 2998173 | [CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data Management 7.1 | medium |
6.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| BC-XI-CON-JPR | 2789866 | [CVE-2019-0337]Cross-Site Scripting (XSS) vulnerability in Java Proxy Runtime of SAP NetWeaver Process Integration | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BI-BIP-CMC | 2935791 | [CVE-2021-21444] Clickjacking vulnerability in SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
| CA-UI5-COR | 3014303 | [CVE-2021-21476] Reverse Tabnabbing vulnerability in SAPUI5 | medium |
4.7
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
| BC-WD-ABA | 2974582 | [CVE-2021-21478] Reverse Tabnabbing vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) | medium |
4.7
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
| CA-UI5-DLV | 2843016 | [CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| HAN-DB-SEC | 2992154 | [CVE-2021-21474] SAML Assertion Signature MD5 Digest Algorithm Vulnerability in SAP HANA Database | medium |
4.1
|
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L |
| MDM-FN-MDS-SEC | 3000897 | [CVE-2021-21475] Directory Traversal vulnerability in SAP NetWeaver Master Data Management 7.1 | medium |
4.0
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
