SAP Security Notes - November 2021 - Safe O'Clock

SAP Security Notes – November 2021

November 9, 2021

On the 9th of November 2021, SAP Security Patch Day saw the release of 5 new Security Notes.

There were 2 updates to previously released Patch Day Security Notes. 

Notes by severity

HotNews 1
Correction with high priority 2
Correction with medium priority 4
Correction with low priority 0

Highlights

On November Patch Day SAP presents 3 high-severity Notes with 1 of them rated as HotNews. The Day meets us with not so many new Security Notes, nevertheless, they should be clarified. We will provide you with the basic information on what threats are described to mitigate for this SAP Security Patch Day.

Starting with 3099776 Security Note – Missing Authorization check in ABAP Platform Kernel with CVSS Score of 9.6. The escalation of privileges by the business user is possible, because of the discovered insufficiency of the authorisation check process in the ABAP Platform Kernel. It is stated that the general performance of the system could not be affected by this vulnerability exploitation. However, an attacker can elevate his privileges and acquire the possibility of affecting another system throughout the landscape. Necessary solution steps and ‘kernel’ file hotfixes are presented in the Note. 

The next Note for your attention is Security Note 3110328Missing Authorization check in SAP Commerce with CVSS Score of 8.3. It is well known that missing authorization checks could lead to severe modification or disclosure of sensitive data. SAP Commerce, as it was revealed, did not provide the necessary quality of authentication, which leads to the possibility for an attacker to access and edit data from b2b units. Any SAP Commerce installation using Commerce Organization is impacted, so, to eliminate the possibility of important product information exposure, we advise you to look at the solution Note part.

Security Note 2971638 Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run) – was re-released with updated solution information. With a CVSS Score of 7.5, this Note update requires the close attention of those who use Introscope of 10.5 version or versions older than 10.7. The criticality of this Note illustrates the importance of changing the default credentials for the services presented in the landscape.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-MID-RFC 3099776 [CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel HotNews 9.6 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CEC-COM-CPS-WEB 3110328 [CVE-2021-40502] Missing Authorization check in SAP Commerce high 8.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
XX-PART-WILY 2971638 [CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager  and  SAP Focused Run) high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
BC-FES-GUI 3080106 [CVE-2021-40503] Information Disclosure in SAP GUI for Windows medium 6.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
PY-PT 3104456 [CVE-2021-42062] Missing Authorization check in SAP ERP HCM medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
FI-LOC-FI-FR 3068582 [CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
BC-DWB-TOO 3105728 [CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform medium 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for February 2024

SAP strengthens AI growth areas  In recent years, artificial intelligence has rightfully begun to gain increasing popularity among developers – […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK