SAP Security Notes - May 2021 - Safe O'Clock

SAP Security Notes – May 2021

May 11, 2021

On the 11th of May 2021, SAP Security Patch Day saw the release of 6 new Security Notes.

There was 5 update to previously released Patch Day Security Notes.

Notes by severity

HotNews 3
Correction with high priority 3
Correction with medium priority 4
Correction with low priority 1

Highlights

On May Patch Day SAP presents 6 high-severity Notes with 3 of them rated as HotNews.

The HotNews update for 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today – a usual update of the Note released on August 2018.

Two more updates from the 2021 release are presented on the Patch Day: 3040210Remote Code Execution vulnerability in Source Rules of SAP Commerce and 2999854Code Injection in SAP Business Warehouse and SAP BW/4HANA (Both with a CVSS Score of 9.9).

SAP NetWeaver AS ABAP could become the target of a code injection by a potential attacker using an ABAP report execution. Such vulnerability and the steps for mitigation are presented in Security Note 3046610Code Injection vulnerability in SAP NetWeaver AS ABAP with a CVSS Score of 8.2.

Also, we would like to mention 2 other Security Notes rated as a correction with high priority: 3049661Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook), 3049755Information Disclosure in SAP Business One (Chef business-one-cookbook). We advise you to pay the necessary attention as these are the common systems in the user’s landscape. 

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CEC-COM-CPS-CKP 3040210 [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BW-BEX-OT-DBIF 2999854 [CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-CTS-ORG 3046610 [CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver AS ABAP high 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SBO-HANA-COM 3049661 [CVE-2021-27616] Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook) high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SBO-BC-INT 3049755 [CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook) high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CEC-COM-CPS 3039818 [CVE-2021-27619] Information Disclosure in SAP Commerce (Backoffice search) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-XI-IBF-UI 3012021 [Multiple CVEs] Multiple vulnerabilities in SAP Process Integration (Integration Builder Framework) medium 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
BC-WD-JAV 2976947 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java) medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
SV-FRN-APP-SDD 3030948 [CVE-2021-27609] Missing Authorization check in SAP Focused RUN medium 4.6 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
BC-FES-CTL 3023078 [CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect users to an untrusted website low 3.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK