SAP Security Patch

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes.

List of security notes released on March Patch Day:

Note#	Title	Priority	CVSS
2890213	Update to security note released on March 2020 Patch Day: [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring) Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2	Hot News	10
2622660	Update to security note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client, Version - 6.5	Hot News	10
3022622	[CVE-2021-21480] Code Injection Vulnerability in SAP MII Product - SAP Manufacturing Integration and Intelligence, Versions - 15.1, 15.2, 15.3, 15.4	Hot News	9.9
3022422	[CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) Product - SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50	Hot News	9.6
3017378	[CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios Product - SAP HANA, Version - 2.0	High	7.7
3007888	[CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts) Product - SAP Enterprise Financial Services (Bank Customer Accounts), Versions - 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800	Medium	6.8
2983436	[CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management Product - SAP NetWeaver Knowledge Management, Versions - 7.01, 7.02, 7.30,7.31, 7.40, 7.50	Medium	6.8
3023778	[CVE-2021-21487] Missing Authorization Check in Payment Engine Product - SAP Payment Engine, Version - 500	Medium	6.8
2943844	Update to security note released on October 2020 Patch Day: [CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services) Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430	Medium	5.3
2976947	[CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java) Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50	Medium	4.7
3027767	[CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer Product - SAP 3D Visual Enterprise Viewer, Version - 9	Medium	4.3
3027758	[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer   Related CVEs - CVE-2021-27585, CVE-2021-27586, CVE-2021-27587, CVE-2021-21493, CVE-2021-27588, CVE-2021-27591, CVE-2021-27584, CVE-2021-27589, CVE-2021-27590 Product - SAP 3D Visual Enterprise Viewer, Version - 9	Medium	4.3
2944188	Update to security note released on November 2020 Patch Day: [CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618 Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104