SAP Security Notes - September 2021 - Safe O'Clock

SAP Security Notes – September 2021

September 14, 2021

On the 14th of September 2021, SAP Security Patch Day saw the release of 17 new Security Notes.

There were 2 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 7
Correction with high priority 2
Correction with medium priority 10

Highlights

On September Patch Day SAP presents a decent number of 9 high-severity Notes with 2 of them rated as HotNews. We will briefly cover the hot topics of Patch Day, so you could pay closer attention to the matter in which you are interested the most.

The HotNews updates were released for 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client, with a CVSS Score of 10, and 3071984 Note – Unrestricted File Upload vulnerability in SAP Business One with a CVSS Score of 9.9. Both of the updates are rated as HotNews. If the updates for Chromium are essential to apply but usual, the SAP Business One vulnerability mitigation steps were updated from the August Patch Day. This Note was re-released with updated Solution information on how to restrict an attacker from uploading files without the proper file format validation.

Another file uploading vulnerability was covered by Security Note 3084487Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT) (CVSS Score of 9.9). Be wary that the presented workaround is a temporary measure, so further solution application is required.

The Note 3078609Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service) – with a CVSS Score of 10, describes the lack of necessary authorisation checks for user privileges, as it’s mentioned in the name as well. Without the solution application, the data in SAP NetWeaver AppServer could be exposed to various malicious actions. 

SAP NZDT Mapping Table Framework has had a fix for the potential injections in the Security Note 3089831SQL Injection vulnerability in SAP NZDT Mapping Table Framework with a high CVSS Score of 9.9. The manipulated query or ABAP code injection could be performed remotely without the presented solutions applied.

An authenticated attacker even without administration privileges could create and execute malicious XSL files in SAP NetWeaver Knowledge Management, so the security of the system would be compromised. However, this vulnerability was described in the Note 3081888Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms) with a CVSS Score of 9.9.

The Note 3073891Multiple vulnerabilities in SAP Contact Center – with a CVSS Score of 9.6, helps users to prevent various types of potential attacks, such as command injections and reflected XSS attacks on SAP Contact Center, caused by the insufficient encoding of input data.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10.0 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-JAS-JMS 3078609 [CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service) 10.0 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SBO-CRO-SEC 3071984 [CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-UPG-NZ 3089831 [CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EP-VC-RTM 3084487 [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT) 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-ESI-WS-JAV-RT 3081888 [CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms) 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CRM-CCI 3073891 [CVE-2021-33672] Multiple vulnerabilities in SAP Contact Center 9.6 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
BC-CST-WDP 3080567 [CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher 8.9 Correction with high priority CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
BC-IAM-SSO-CCL 3051787 [CVE-2021-38177] Null Pointer Dereference vulnerability in SAP CommonCryptoLib 7.5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SBO-CRO-SEC 3069032 [CVE-2021-33685] Directory Traversal vulnerability in SAP Business One 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BW-BEX-OT-RRI 3082500 [CVE-2021-38175] Information Disclosure in SAP Analysis for Microsoft Office 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
BC-FES-BUS-DSK 3060621 [CVE-2021-38150] Information disclosure in SAP Business Client 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
BI-BIP-INV 3055180 [CVE-2021-33679] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace) 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
FI-LOC-FI-FR 3068582 [CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
SBO-CRO-SEC 3070138 [CVE-2021-33686] Information Disclosure in  SAP Business One 5.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EP-PIN-PRT 3082219 [CVE-2021-21489] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal 4.8 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
SBO-CRO-SEC 3069882 [CVE-2021-33688]  SQL Injection vulnerability in SAP Business One 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
SBO-CRO-SEC 3075546 [CVE-2021-37532] Directory Listing Enabled in SAP Business One 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CA-VE-VEV 3087791 [CVE-2021-38174] Improper Input Validation in SAP 3D Visual Enterprise Viewer 4.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

 

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK