On the 9th of November 2021, SAP Security Patch Day saw the release of 5 new Security Notes.
There were 2 updates to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 1 |
| Correction with high priority | 2 |
| Correction with medium priority | 4 |
| Correction with low priority | 0 |
Highlights
On November Patch Day SAP presents 3 high-severity Notes with 1 of them rated as HotNews. The Day meets us with not so many new Security Notes, nevertheless, they should be clarified. We will provide you with the basic information on what threats are described to mitigate for this SAP Security Patch Day.
Starting with 3099776 Security Note – Missing Authorization check in ABAP Platform Kernel with CVSS Score of 9.6. The escalation of privileges by the business user is possible, because of the discovered insufficiency of the authorisation check process in the ABAP Platform Kernel. It is stated that the general performance of the system could not be affected by this vulnerability exploitation. However, an attacker can elevate his privileges and acquire the possibility of affecting another system throughout the landscape. Necessary solution steps and ‘kernel’ file hotfixes are presented in the Note.
The next Note for your attention is Security Note 3110328 – Missing Authorization check in SAP Commerce with CVSS Score of 8.3. It is well known that missing authorization checks could lead to severe modification or disclosure of sensitive data. SAP Commerce, as it was revealed, did not provide the necessary quality of authentication, which leads to the possibility for an attacker to access and edit data from b2b units. Any SAP Commerce installation using Commerce Organization is impacted, so, to eliminate the possibility of important product information exposure, we advise you to look at the solution Note part.
Security Note 2971638 – Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run) – was re-released with updated solution information. With a CVSS Score of 7.5, this Note update requires the close attention of those who use Introscope of 10.5 version or versions older than 10.7. The criticality of this Note illustrates the importance of changing the default credentials for the services presented in the landscape.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-MID-RFC | 3099776 | [CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel | HotNews |
9.6
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| CEC-COM-CPS-WEB | 3110328 | [CVE-2021-40502] Missing Authorization check in SAP Commerce | high |
8.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H |
| XX-PART-WILY | 2971638 | [CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run) | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| BC-FES-GUI | 3080106 | [CVE-2021-40503] Information Disclosure in SAP GUI for Windows | medium |
6.8
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
| PY-PT | 3104456 | [CVE-2021-42062] Missing Authorization check in SAP ERP HCM | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| FI-LOC-FI-FR | 3068582 | [CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| BC-DWB-TOO | 3105728 | [CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform | medium |
4.9
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
