본문 바로가기

취약점 정보2

SAP Security Patch

728x90

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes.

List of security notes released on March Patch Day:

Note# Title Priority CVSS
2890213

Update to security note released on March 2020 Patch Day:
[
CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 

Hot News 10
2622660 Update to security note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News 10
3022622 [CVE-2021-21480] Code Injection Vulnerability in SAP MII
Product - SAP Manufacturing Integration and Intelligence, Versions - 15.1, 15.2, 15.3, 15.4 
Hot News 9.9
3022422 [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
Product SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Hot News  9.6
3017378 [CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios
Product - SAP HANA, Version - 2.0
High 7.7
3007888 [CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts)
Product - SAP Enterprise Financial Services (Bank Customer Accounts), Versions - 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800 
Medium 6.8
2983436 [CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management
Product - SAP NetWeaver Knowledge Management, Versions - 7.01, 7.02, 7.30,7.31, 7.40, 7.50 
Medium 6.8
3023778 [CVE-2021-21487] Missing Authorization Check in Payment Engine
Product - SAP Payment Engine, Version - 500
Medium 6.8
2943844 Update to security note released on October 2020 Patch Day:
[CVE-2020-6308Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services)
Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430 
Medium 5.3
2976947 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
Medium  4.7
3027767 [CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Version - 9

Medium

4.3
3027758

[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer  
Related CVEs - CVE-2021-27585CVE-2021-27586CVE-2021-27587CVE-2021-21493CVE-2021-27588CVE-2021-27591CVE-2021-27584CVE-2021-27589CVE-2021-27590
Product - SAP 3D Visual Enterprise Viewer, Version - 9

Medium 4.3
2944188

Update to security note released on November 2020 Patch Day:
[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104

728x90