Child pages
  • SAP Security Patch Day – March 2021
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes.

Edit: Please note, 1 new Security Note was released on 18 March, 2020. The list below reflects the same.

List of security notes released on March Patch Day:

Note#TitlePriorityCVSS
2890213

Update to security note released on March 2020 Patch Day:
[
CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 

Hot News10
2622660Update to security note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News10
3022622[CVE-2021-21480] Code Injection Vulnerability in SAP MII
Product - SAP Manufacturing Integration and Intelligence, Versions - 15.1, 15.2, 15.3, 15.4 
Hot News9.9
3022422[CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
Product SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Hot News 9.6
3017378[CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios
Product - SAP HANA, Version - 2.0
High7.7
3007888[CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts)
Product - SAP Enterprise Financial Services (Bank Customer Accounts), Versions - 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800 
Medium6.8
2983436[CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management
Product - SAP NetWeaver Knowledge Management, Versions - 7.01, 7.02, 7.30,7.31, 7.40, 7.50 
Medium6.8
3023778[CVE-2021-21487] Missing Authorization Check in Payment Engine
Product - SAP Payment Engine, Version - 500
Medium6.8
2943844Update to security note released on October 2020 Patch Day:
[CVE-2020-6308Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services)
Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430 
Medium5.3
2976947[CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
Medium 4.7
3027767[CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Version - 9

Medium

4.3
3027758

[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer  
Related CVEs - CVE-2021-27585CVE-2021-27586CVE-2021-27587CVE-2021-21493CVE-2021-27588CVE-2021-27591CVE-2021-27584CVE-2021-27589CVE-2021-27590
Product - SAP 3D Visual Enterprise Viewer, Version - 9

Medium4.3
2944188

Update to security note released on November 2020 Patch Day:
[CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618
Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104

Medium4.3
3035472 

[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Related CVEs -  CVE-2021-27596 CVE-2021-27594, CVE-2021-27593CVE-2021-27595
Product - SAP 3D Visual Enterprise Viewer, Version - 9

Medium4.3

, ________________________________________________________________________________

Vulnerability Type Distribution -  March 2021

#Multiple vulnerabilities on same product can be fixed by one security note.


Security Notes vs Priority Distribution (October 2020 – March 2021)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after February 9, 2020, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'February 10, 2021 - March 9, 2021' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels