On the 9th of March 2021, SAP Security Patch Day saw the release of 7 new Security Notes.
There were 4 updates to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 3 |
| Correction with high priority | 1 |
| Correction with medium priority | 7 |
| Correction with low priority | 0 |
Highlights
On March Patch Day SAP presents 4 high-severity Notes with 3 of them rated as HotNews.
Starting the list for today – Security Note 2890213 – Missing Authentication Check in SAP Solution Manager, with corresponding CVSS Score of 10. The information in the Solution section was updated, however, we advise you to pay close attention to the SAP Solution Manager Support Package versions, as from specific old versions the listed solution could not be implemented.
Another update – 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client, with a CVSS Score of 10, is a classic addition for Google Chromium to the most updated lists of SAP Patch Days.
The potential attacker could inject the malicious code to escalate his privileges using intercepted requests to the server in SAP Manufacturing Integration and Intelligence environment. The steps to mitigate this vulnerability is described in Security Note 3022622 – Code injection vulnerability in SAP Manufacturing Integration and Intelligence with a CVSS Score of 9.9.
And, for the last highlight, SAP NetWeaver also has received the patch to restrict the access to the sensitive data in the Security Note 3022422 – Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) with a CVSS Score of 9.6.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| SV-SMG-MON-EEM | 2890213 | [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| MFG-MII | 3022622 | [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence | HotNews |
9.9
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| BC-UPG-TLS-TLJ | 3022422 | [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) | HotNews |
9.6
|
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| HAN-DB-SEC | 3017378 | [CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios | high |
7.7
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L |
| IS-B-BCA | 3007888 | [CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts ) | medium |
6.8
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
| EP-KM-CM-UI | 2983436 | [CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| FS-PE | 3023778 | [CVE-2021-21487] Missing Authorization Check in Payment Engine | medium |
5.8
|
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |
| BI-DEV-JAV | 2943844 | [CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services) | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-WD-JAV | 2976947 | [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java) | medium |
4.7
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
| CA-VE-VEV | 3027767 | [CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
| CA-VE-VEV | 3027758 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
| PS-IS | 2944188 | [CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
