SAP Security Notes - January 2021 - Safe O'Clock

SAP Security Notes – January 2021

January 12, 2021

On the 12th of January 2021, SAP Security Patch Day saw the release of 10 new Security Notes.

There were 6 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 4
Correction with high priority 1
Correction with medium priority 10
Correction with low priority 1

Highlights

On February Patch Day SAP presents 6 high-severity Notes with 4 of them rated as HotNews.

Usual update of a 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today.

2986980 Security Note – Multiple vulnerabilities in SAP Business Warehouse (Database Interface), with a CVSS Score of 9.9, is dedicated to SAP Business Warehouse vulnerability. The solution section was improved by the enhancement of the validity for all covered codelines to the lowest possible SP-level.

Due to a lack of input validation, an attacker, who was granted access to execute the function module in SAP Business Warehouse and SAP BW/4HANA could inject malicious ABAP code. This vulnerability and the solution steps were described in 2999854 Security Note – Code Injection in SAP Business Warehouse and SAP BW/4HANA – with a CVS Score of 9.9. Another Code Injection vulnerability of the same SAP products was highlighted in the re-released 2983367 Security Note. The ‘validity’, and ‘Support Packages & Patches’ information was updated.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10.0 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BW-WHM-DST-DBC 2986980 [CVE-2021-21465] Multiple vulnerabilities in SAP Business Warehouse (Database Interface) 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BW-BEX-OT-DBIF 2999854 [CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BW-WHM-DBA-MD 2983367 [CVE-2020-26838] Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW4HANA 9.1 HotNews CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BC-ABA-LA 3000306 [CVE-2021-21446] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform 7.5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BC-UPG-NA 2863397 [CVE-2020-6307] Missing Authorization Check in Automated Note Search Tool (SAP_BASIS) 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-JAS-WEB 2826528 [CVE-2020-6224] Information Disclosure in SAP NetWeaver Application Server Java (HTTP Service) 6.2 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
CEC-HCS-SEC 2984034 [CVE-2021-21445] Header Manipulation vulnerability in SAP Commerce Cloud 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BI-RA-WBI-FE 2965154 [CVE-2021-21447] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CA-MDG-AF 2912747 [CVE-2020-6256 ] Missing Authorization check in SAP Master Data Governance 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
BC-JAS-SEC 2971163 [CVE-2020-26816] Missing Encryption in SAP NetWeaver AS Java (Key Storage Service) 5.4 Correction with medium priority CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
BC-FES-GUI 2992269 [CVE-2021-21448] Information Disclosure in SAP GUI for Windows 5.3 Correction with medium priority CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
MDM-FN-MDS-SEC 2993032 [CVE-2021-21469] Information Disclosure in SAP NetWeaver Master Data Management 5.3 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CA-VE-VEV 3002617 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
FS-BA-SD-PO 3008422 [CVE-2021-21467] Missing Authorization check in SAP Banking Services (Generic Market Data) 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPM-XLS-SEC 3000291 [CVE-2021-21470] XML External Entity vulnerability in SAP EPM add-in 3.6 Correction with low priority CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK