On the 14th of July 2021, SAP Security Patch Day released 12 new Security Notes.
There were 3 updates to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 2 |
| Correction with high priority | 2 |
| Correction with medium priority | 10 |
| Correction with low priority | 1 |
Highlights
On August Patch Day SAP presents 4 high-severity Security Notes with 2 rated as HotNews.
The HotNews update for 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today. Google Chromium engine was updated with several new fixes. The regular update includes several fixes to apply.
The Note 3007182 update – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform with a CVSS Score of 9.0 – in its core is the re-release of the June Note which describes the lack of recording information about the RFC users. Patches and Support packages were updated along with an additional SP Stack Kernel package.
Following highly-rated Security Note 3059446 to look at is Missing Authorization check in SAP NetWeaver Guided Procedures with a CVSS Score of 7.6. The necessary authorisation is not provided by Administration Workset for authenticated users, resulting in the escalation of privileges. Such users could easily compromise the security and integrity of the target system.
The last Note to cover released with high severity is Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service) Note numbered 3056652. Long response delays and service interruptions could be caused by the DoS attack. We advice you to get familiar with solution steps to exclude this possibility.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-MID-RFC | 3007182 | [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform | HotNews |
9.0
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-GP | 3059446 | [CVE-2021-33671] Missing Authorization check in SAP NetWeaver Guided Procedures | high |
7.6
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
| BC-JAS-WEB | 3056652 | [CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service) | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CRM-MKT-SEG-TGR | 3066316 | [CVE-2021-33676] Missing authorization check in SAP CRM ABAP | medium |
6.8
|
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| BC-XI-IBD-MAP | 3036436 | [CVE-2021-27604] Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| BC-MID-RFC-BG | 3044754 | [CVE-2021-33677] Information Disclosure in SAP NetWeaver AS ABAP and ABAP Platform | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |
| BC-SRV-BP | 3048657 | [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| BI-LUM-SRV-BIP | 3053403 | [CVE-2021-33682] Cross-Site Scripting (XSS) vulnerability in SAP Lumira Server | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| BC-CST-WDP | 3000663 | [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| BC-MID-RFC | 3032624 | [CVE-2021-33684] Memory Corruption in SAP NetWeaver AS ABAP and ABAP Platform | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| EP-PIN-NAV | 3059764 | [CVE-2021-33687] Information Disclosure in SAP NetWeaver AS for Java (Enterprise Portal) | medium |
4.5
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N |
| BI-RA-WBI-FE-HTM | 3044751 | [CVE-2021-33667] Information Disclosure in SAP Business Objects Web Intelligence (BI Launchpad) | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CA-VE-VEV | 3067890 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
| BC-JAS-ADM-ADM | 3038594 | [CVE-2021-33689] Insufficient Logging in SAP NetWeaver AS for JAVA (Administrator) | low |
3.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
