SAP Security Notes - March 2021 - Safe O'Clock

SAP Security Notes – March 2021

March 9, 2021

On the 9th of March 2021, SAP Security Patch Day saw the release of 7 new Security Notes.

There were 4 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 3
Correction with high priority 1
Correction with medium priority 7
Correction with low priority 0

Highlights

On March Patch Day SAP presents 4 high-severity Notes with 3 of them rated as HotNews.

Starting the list for today – Security Note 2890213Missing Authentication Check in SAP Solution Manager, with corresponding CVSS Score of 10. The information in the Solution section was updated, however, we advise you to pay close attention to the SAP Solution Manager Support Package versions, as from specific old versions the listed solution could not be implemented.

Another update – 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client, with a CVSS Score of 10, is a classic addition for Google Chromium to the most updated lists of SAP Patch Days.

The potential attacker could inject the malicious code to escalate his privileges using intercepted requests to the server in SAP Manufacturing Integration and Intelligence environment. The steps to mitigate this vulnerability is described in Security Note 3022622Code injection vulnerability in SAP Manufacturing Integration and Intelligence with a CVSS Score of 9.9.

And, for the last highlight, SAP NetWeaver also has received the patch to restrict the access to the sensitive data in the Security Note 3022422Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) with a CVSS Score of 9.6.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
SV-SMG-MON-EEM 2890213 [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager 10.0 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10.0 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
MFG-MII 3022622 [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BC-UPG-TLS-TLJ 3022422 [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) 9.6 HotNews CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
HAN-DB-SEC 3017378 [CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios 7.7 Correction with high priority CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
IS-B-BCA 3007888 [CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts ) 6.8 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EP-KM-CM-UI 2983436 [CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
FS-PE 3023778 [CVE-2021-21487] Missing Authorization Check in Payment Engine 6.8 Correction with medium priority CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
BI-DEV-JAV 2943844 [CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services) 5.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-WD-JAV 2976947 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java) 4.7 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CA-VE-VEV 3027767 [CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CA-VE-VEV 3027758 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
PS-IS 2944188 [CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

 

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK