SAP Security Notes - October 2021 - Safe O'Clock

SAP Security Notes – October 2021

October 12, 2021

On the 12th of October 2021, SAP Security Patch Day saw the release of 13 new Security Notes.

There was 1 update to previously released Patch Day Security Notes.

Notes by severity

HotNews 3
Correction with high priority 1
Correction with medium priority 10
Correction with low priority 0

Highlights

On October Patch Day SAP presents 3 high-severity Notes with 1 of them rated as HotNews. Let us provide an explanation of the threat for the Notes with the highest CVSS Score among the Security Notes of this Patch Day.

The HotNews update for 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today. Google Chromium engine was updated with several new fixes. Even if the broad explanation of the internal changes is not disclosed by the vendor, the necessity of timely updates is not in doubt and should be applied in any case.

The next Security Note rated as HotNews to cover is 3101406 Note – Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance with a CVSS Score of 9.8. It was discovered that SAP Environmental Compliance uses insecure open-source software components. This fact could potentially lead to the risk of being exposed to an XML External Entity Injection attack. The vulnerability of Data Import from Excel Template in SAP Environmental Compliance 3.0 is described in several CVEs listed, along with the solution steps.

The Note 3097887 with a CVSS Score of 9.1 – Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform – provide the fix for the function of ABAP software logistics quality gates. The malicious code injected by the potential attacker can reach various systems and may completely compromise the system’s confidentiality, integrity, and availability.

The last Security Note to cover is 3077635Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices with a CVSS Score of 7.8 (high priority). The vulnerability exposes Android devices to potential prevention of availability, denying access to SuccessFactors services. Subsequent overflow of the service leads to Denial of Service. In addition, Android implementation methods have the possibility of picking up the activities of the applications working in the background, exposing the user to a phishing attack.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
XAP-EM 3101406 Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BC-CTS-ORG 3097887 [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
LOD-SF-FWK 3077635 [CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-RA-CR-DB 3074693 [CVE-2021-40500] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Reports) medium 6.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
SBO-CRO-SEC 3074819 [CVE-2021-38179] Information Disclosure in  SAP Business One medium 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SBO-CRO-SEC 3079427 [CVE-2021-38180] CSV Injection in SAP Business One medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
BC-CST-IC 3080710 [CVE-2021-38181] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
BC-CCM-PRN 3100882 [CVE-2021-40499] Code Injection vulnerability for SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint) medium 6.4 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CA-UI5-COR 3055347 Cross-Site Scripting (XSS) vulnerability in SAPUI5 medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-CTS-TMS 3084937 [CVE-2021-38183] Cross-Site Scripting (XSS) vulnerability in cms Service of SAP NetWeaver medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
BC-ABA-LA 3099011 [CVE-2021-40495] Denial of Service (DOS) in SAP NetWeaver Application Server for ABAP and ABAP Platform medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
BI-RA-AWB 3098917 [CVE-2021-40497] Information Disclosure in  SAP BusinessObjects Analysis (edition for OLAP) medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
BC-MID-ICF-LGN 3087254 [CVE-2021-40496] Improper Access Control in SAP NetWeaver AS ABAP and ABAP Platform medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK