Child pages
  • SAP Security Patch Day - December 2021
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 14th of December 2021, SAP Security Patch Day saw the release of 10 Security Notes. There were 5 updates to previously released Patch Day Security Notes.
Read SAP's statement on CVE-20211-44228 here.

List of security notes released on December Patch Day:

Note#TitlePriorityCVSS
2622660Update to Security Note released on  Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5
Hot News10
3109577Code Execution vulnerability in SAP Commerce, localization for China
Related CVEs - CVE-2021-21341,CVE-2021-21342,CVE-2021-21349,CVE-2021-21343,CVE-2021-21344,CVE-2021-21346,CVE-2021-21347,CVE-2021-21350,CVE-2021-21351,CVE-2021-21345,CVE-2021-21348
Product SAP Commerce, localization for China, Version - 2001
Hot News9.9
3119365[CVE-2021-44231] Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools)
Product - SAP ABAP Server & ABAP Platform (Translation Tools), Versions - 701, 740,750,751,752,753,754,755,756,804
Hot News9.9
3089831

Update to Security Note released on September 2021 Patch Day:
[CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework
Product - SAP S/4HANA, Versions - 1511, 1610, 1709, 1809, 1909, 2020, 2021
Product - SAP LT Replication Server, Versions - 2.0, 3.0 
Product - SAP LTRS for S/4HANA, Version - 1.0
Product - SAP Test Data Migration Server, Version - 4.0
Product - SAP Landscape Transformation, Version - 2.0

Hot News9.9
3114134[CVE-2021-42064] SQL Injection vulnerability in SAP Commerce
Product SAP Commerce, Versions - 1905, 2005, 2105, 2011
High8.8
3102769[CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
Product SAP Knowledge Warehouse, Versions - 7.30, 7.31, 7.40, 7.50
High8.8
3123196[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP
Product SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
High8.4
3077635[CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices
Product - SAP SuccessFactors Mobile Application (for Android devices), Versions - <2108 
High7.8
3124094[CVE-2021-44232] Directory Traversal vulnerability in SAF-T Framework
Product SAF-T Framework, Versions - SAP_FIN 617, 618, 720, 730, SAP_APPL 600, 602, 603, 604, 605, 606, S4CORE 102, 103, 104, 105
High7.7
3113593Denial of service (DOS) in SAP Commerce
Related CVE - CVE-2021-37714
Product - SAP Commerce, Versions - 1905, 2005, 2105, 2011
High7.5
3000663

Update to Security Note released on July 2021 Patch Day:
[CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager
Product - SAP Web Dispatcher and Internet Communication Manager, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83

Medium5.4
3121165

[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
CVEs - CVE-2021-42068,CVE-2021-42070CVE-2021-42069CVE-2021-42069
Product SAP 3D Visual Enterprise Viewer, Version - 9

Medium4.3
2843016Update to Security Note released on November 2019 Patch Day:
[CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler
Product - SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54
Product - SAP UI 700, Versions - 2.0

Medium4.3
3103677[CVE-2021-42061] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (Web Intelligence)
Product SAP BusinessObjects Business Intelligence Platform, Version - 420
Medium4.1
3080816[CVE-2021-44233] Missing Authorization check in GRC Access Control
Product - SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750
Low2.4

Note: Graphs could not be added due to an issue in the editor. 


Customers who would like to take a look at all Security Notes published or updated after November 9, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'November 10, 2021 - December 14, 2021' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels