SAP Security Notes - June 2021 - Safe O'Clock

SAP Security Notes – June 2021

June 8, 2021

On the 8th of June 2021, SAP Security Patch Day saw the release of 17 new Security Notes.

There was 2 update to previously released Patch Day Security Notes.

 Notes by severity

HotNews 2
Correction with high priority 4
Correction with medium priority 13
Correction with low priority 0

Highlights

On June Patch Day SAP presents 6 high-severity Notes with 2 of them rated as HotNews.

3040210 Security Note – Remote Code Execution vulnerability in Source Rules of SAP Commerce – provides us with an update for the April release (CVSS Score 9.9). 3007182 Security Note – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform – describes the potential compromise of the integrity of the system (CVSS Score 9.0).

Several Security Notes 3020209, 3020104 and 3021197 with a CVSS Score of 7.5 – Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform – contain several SAP NetWeaver vulnerabilities distributed throughout the Notes by reasons and prerequisites. CPIC-based communication may temporarily become unavailable, SAP Enqueue Server (ENSA1) and NetWeaver ABAP Server along with ABAP Platform can be affected by memory corruption through potential malicious actions.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
CEC-COM-CPS-CKP 3040210 [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-MID-RFC 3007182 [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform 9 HotNews CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-ESI-WS-JAV-CFG 3053066 [CVE-2021-27635] Missing XML Validation in SAP NetWeaver AS for JAVA 8.7 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H
BC-CST-GW 3020209 [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform 7.5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BC-CST-EQ 3020104 [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform 7.5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BC-CST-DP 3021197 [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform 7.5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SBO-CRO-SEC 3058382 [CVE-2021-33662] Information Disclosure in SAP Business One 6.7 Correction with medium priority CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MFG-ME-API 3030961 [CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution 6.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
BC-SRV-RM 3002517 [CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform 6.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CA-SUR 3004043 [CVE-2021-21490] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver AS for ABAP (Web Survey) 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-FES-IGS 3021050 [Multiple CVEs] Memory Corruption vulnerability in SAP Internet Graphics Service 5.9 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
KM-SEN-MGR 3049879 [CVE-2021-27637] Information Disclosure in SAP Enable Now (SAP Workforce Performance Builder – Manager) 5.9 Correction with medium priority CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
BC-CST-IC 3030604 [CVE-2021-33663] Plaintext Injection in SAP NetWeaver AS for ABAP 5.8 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
BC-JAS-SEC-UME 3023299 [CVE-2021-27621] Information Disclosure in SAP NetWeaver AS for Java (UserAdmin) 5.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
BC-WD-ABA 3025604 [CVE-2021-33664] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on Web Dynpro ABAP) 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BC-FES-WGU 3028370 [CVE-2021-33665] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on SAP GUI for HTML) 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CEC-HCS-CCAZ-CZO 2985562 [CVE-2021-33666] Cross-Site Scripting (XSS) in SAP Commerce Cloud 4.7 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CA-VE-VEV 3059999 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
FI-TV-ODT-MTE 3025054 [CVE-2021-27605 ] Missing Authorization check in HCM Travel Management Fiori Apps V2 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK