SAP Security Notes - May 2021 - Safe O'Clock

SAP Security Notes – May 2021

May 11, 2021

On the 11th of May 2021, SAP Security Patch Day saw the release of 6 new Security Notes.

There was 5 update to previously released Patch Day Security Notes.

Notes by severity

HotNews 3
Correction with high priority 3
Correction with medium priority 4
Correction with low priority 1

Highlights

On May Patch Day SAP presents 6 high-severity Notes with 3 of them rated as HotNews.

The HotNews update for 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today – a usual update of the Note released on August 2018.

Two more updates from the 2021 release are presented on the Patch Day: 3040210Remote Code Execution vulnerability in Source Rules of SAP Commerce and 2999854Code Injection in SAP Business Warehouse and SAP BW/4HANA (Both with a CVSS Score of 9.9).

SAP NetWeaver AS ABAP could become the target of a code injection by a potential attacker using an ABAP report execution. Such vulnerability and the steps for mitigation are presented in Security Note 3046610Code Injection vulnerability in SAP NetWeaver AS ABAP with a CVSS Score of 8.2.

Also, we would like to mention 2 other Security Notes rated as a correction with high priority: 3049661Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook), 3049755Information Disclosure in SAP Business One (Chef business-one-cookbook). We advise you to pay the necessary attention as these are the common systems in the user’s landscape. 

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CEC-COM-CPS-CKP 3040210 [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BW-BEX-OT-DBIF 2999854 [CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-CTS-ORG 3046610 [CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver AS ABAP 8.2 Correction with high priority CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SBO-HANA-COM 3049661 [CVE-2021-27616] Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook) 7.8 Correction with high priority CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SBO-BC-INT 3049755 [CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook) 7.8 Correction with high priority CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CEC-COM-CPS 3039818 [CVE-2021-27619] Information Disclosure in SAP Commerce (Backoffice search) 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-XI-IBF-UI 3012021 [Multiple CVEs] Multiple vulnerabilities in SAP Process Integration (Integration Builder Framework) 4.9 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
BC-WD-JAV 2976947 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java) 4.7 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
SV-FRN-APP-SDD 3030948 [CVE-2021-27609] Missing Authorization check in SAP Focused RUN 4.6 Correction with medium priority CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
BC-FES-CTL 3023078 [CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect users to an untrusted website 3.4 Correction with low priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

 

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK