On the 12th of October 2021, SAP Security Patch Day saw the release of 13 new Security Notes.
There was 1 update to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 3 |
| Correction with high priority | 1 |
| Correction with medium priority | 10 |
| Correction with low priority | 0 |
Highlights
On October Patch Day SAP presents 3 high-severity Notes with 1 of them rated as HotNews. Let us provide an explanation of the threat for the Notes with the highest CVSS Score among the Security Notes of this Patch Day.
The HotNews update for 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today. Google Chromium engine was updated with several new fixes. Even if the broad explanation of the internal changes is not disclosed by the vendor, the necessity of timely updates is not in doubt and should be applied in any case.
The next Security Note rated as HotNews to cover is 3101406 Note – Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance with a CVSS Score of 9.8. It was discovered that SAP Environmental Compliance uses insecure open-source software components. This fact could potentially lead to the risk of being exposed to an XML External Entity Injection attack. The vulnerability of Data Import from Excel Template in SAP Environmental Compliance 3.0 is described in several CVEs listed, along with the solution steps.
The Note 3097887 with a CVSS Score of 9.1 – Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform – provide the fix for the function of ABAP software logistics quality gates. The malicious code injected by the potential attacker can reach various systems and may completely compromise the system’s confidentiality, integrity, and availability.
The last Security Note to cover is 3077635 – Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices with a CVSS Score of 7.8 (high priority). The vulnerability exposes Android devices to potential prevention of availability, denying access to SuccessFactors services. Subsequent overflow of the service leads to Denial of Service. In addition, Android implementation methods have the possibility of picking up the activities of the applications working in the background, exposing the user to a phishing attack.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| XAP-EM | 3101406 | Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance | HotNews |
9.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| BC-CTS-ORG | 3097887 | [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform | HotNews |
9.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| LOD-SF-FWK | 3077635 | [CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices | high |
7.8
|
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| BI-RA-CR-DB | 3074693 | [CVE-2021-40500] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Reports) | medium |
6.9
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N |
| SBO-CRO-SEC | 3074819 | [CVE-2021-38179] Information Disclosure in SAP Business One | medium |
6.7
|
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| SBO-CRO-SEC | 3079427 | [CVE-2021-38180] CSV Injection in SAP Business One | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L |
| BC-CST-IC | 3080710 | [CVE-2021-38181] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| BC-CCM-PRN | 3100882 | [CVE-2021-40499] Code Injection vulnerability for SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint) | medium |
6.4
|
CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CA-UI5-COR | 3055347 | Cross-Site Scripting (XSS) vulnerability in SAPUI5 | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BC-CTS-TMS | 3084937 | [CVE-2021-38183] Cross-Site Scripting (XSS) vulnerability in cms Service of SAP NetWeaver | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L |
| BC-ABA-LA | 3099011 | [CVE-2021-40495] Denial of Service (DOS) in SAP NetWeaver Application Server for ABAP and ABAP Platform | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| BI-RA-AWB | 3098917 | [CVE-2021-40497] Information Disclosure in SAP BusinessObjects Analysis (edition for OLAP) | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| BC-MID-ICF-LGN | 3087254 | [CVE-2021-40496] Improper Access Control in SAP NetWeaver AS ABAP and ABAP Platform | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
