SAP Security Notes - July 2021 - Safe O'Clock

SAP Security Notes – July 2021

July 14, 2021

On the 14th of July 2021, SAP Security Patch Day released 12 new Security Notes.

There were 3 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 2
Correction with high priority 2
Correction with medium priority 10
Correction with low priority 1

Highlights

On August Patch Day SAP presents 4 high-severity Security Notes with 2 rated as HotNews.

The HotNews update for 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today. Google Chromium engine was updated with several new fixes. The regular update includes several fixes to apply.

The Note 3007182 update – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform with a CVSS Score of 9.0 – in its core is the re-release of the June Note which describes the lack of recording information about the RFC users. Patches and Support packages were updated along with an additional SP Stack Kernel package.

Following highly-rated Security Note 3059446 to look at is Missing Authorization check in SAP NetWeaver Guided Procedures with a CVSS Score of 7.6. The necessary authorisation is not provided by Administration Workset for authenticated users, resulting in the escalation of privileges. Such users could easily compromise the security and integrity of the target system.

The last Note to cover released with high severity is Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service) Note numbered 3056652. Long response delays and service interruptions could be caused by the DoS attack. We advice you to get familiar with solution steps to exclude this possibility.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10.0 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-MID-RFC 3007182 [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform 9.0 HotNews CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-GP 3059446 [CVE-2021-33671] Missing Authorization check in SAP NetWeaver Guided Procedures 7.6 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
BC-JAS-WEB 3056652 [CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service) 7.5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CRM-MKT-SEG-TGR 3066316 [CVE-2021-33676] Missing authorization check in SAP CRM ABAP 6.8 Correction with medium priority CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
BC-XI-IBD-MAP 3036436 [CVE-2021-27604] Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings) 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-MID-RFC-BG 3044754 [CVE-2021-33677] Information Disclosure in SAP NetWeaver AS ABAP and ABAP Platform 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
BC-SRV-BP 3048657 [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework) 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
BI-LUM-SRV-BIP 3053403 [CVE-2021-33682] Cross-Site Scripting (XSS) vulnerability in SAP Lumira Server 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BC-CST-WDP 3000663 [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
BC-MID-RFC 3032624 [CVE-2021-33684] Memory Corruption in SAP NetWeaver AS ABAP and ABAP Platform 5.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EP-PIN-NAV 3059764 [CVE-2021-33687] Information Disclosure in SAP NetWeaver AS for Java (Enterprise Portal) 4.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
BI-RA-WBI-FE-HTM 3044751 [CVE-2021-33667] Information Disclosure in SAP Business Objects Web Intelligence (BI Launchpad) 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CA-VE-VEV 3067890 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
BC-JAS-ADM-ADM 3038594 [CVE-2021-33689] Insufficient Logging in SAP NetWeaver AS for JAVA (Administrator) 3.5 Correction with low priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

 

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK