This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 13th of April 2021, SAP Security Patch Day saw the release of 14 Security Notes. There were 5 updates to previously released Patch Day Security Notes.
List of security notes released on April Patch Day:
| Note# | Title | Priority | CVSS |
| 2622660 | Update to Security Note released on August 2018 Patch Day: | Hot News | 10 |
| 3040210 | [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce Product - SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011 | Hot News | 9.9 |
| 3022422 | Update to Security Note released on March 2021 Patch Day: [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) Product - SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50 | Hot News | 9.6 |
| 3017908 | [CVE-2021-21482] Information Disclosure in SAP NetWeaver Master Data Management Product - SAP NetWeaver Master Data Management, Versions - 710, 710.750 | High | 8.3 |
| 3017823 | [CVE-2021-21483] Information Disclosure in SAP Solution Manager Product - SAP Solution Manager, Version - 7.20 | High | 8.2 |
| 2993132 | Update to Security Note released on December 2020 Patch Day: [CVE-2020-26832] Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) Product - SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 Product - SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105 | High | 7.6 |
| 3039649 | [CVE-2021-27608] Unquoted Search Path in SAPSetup Product - SAP Setup, Version - 9.0 | High | 7.5 |
| 3001824 | [CVE-2021-21485] Information Disclosure in SAP NetWeaver AS for Java (Telnet Commands) Product - SAP NetWeaver AS for JAVA (Telnet Commands), Versions - ENGINEAPI - 7.30, 7.31, 7.40, 7.50, ESP_FRAMEWORK - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SERVERCORE - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, J2EE-FRMW - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 | High | 7.4 |
| 3027937 | [CVE-2021-27598] Improper Access Control in SAP NetWeaver AS for Java (Customer Usage Provisioning Servlet) Product - SAP NetWeaver AS for JAVA (Customer Usage Provisioning Servlet), Versions - 7.31, 7.40, 7.50 | Medium | 6.5 |
| 3028729 | [CVE-2021-27603] Denial of Service(DoS) in SAP NetWeaver AS of ABAP Product - SAP NetWeaver AS for ABAP, Versions - 731, 740, 750 | Medium | 6.5 |
| 3012277 | [CVE-2021-27599] Information Disclosure in SAP Process Integration (Integration Builder Framework) Product - SAP Process Integration (Integration Builder Framework), Versions - 7.10, 7.30, 7.31, 7.40, 7.50 | Medium | 6.5 |
| 3036436 | [CVE-2021-27604] Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings) Product - SAP Process Integration (Enterprise Service Repository JAVA Mappings), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 | Medium | 6.5 |
| 3024414 | [CVE-2021-27600] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution (System Rules) Product - SAP Manufacturing Execution (System Rules), Versions - 15.1, 15.2, 15.3, 15.4 | Medium | 6.4 |
| 2963592 | [CVE-2021-27601] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (Applications based on HTMLB for Java) Product - SAP NetWeaver AS for Java (Applications based on HTMLB for Java) , Versions - EP-BASIS - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, FRAMEWORK-EXT - 7.30, 7.31, 7.40, 7.50, FRAMEWORK - 7.10, 7.11 | Medium | 5.4 |
| 3036679 | Update to Security Note released on October 2011 Patch Day: | Medium | 5.3 |
| 2976947 | Update to Security Note released on March 2021 Patch Day: [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java) Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 | Medium | 4.7 |
| 3030948 | [CVE-2021-27609] Missing Authorization check in SAP Focused RUN Product - SAP Focused RUN, Versions - 200, 300 | Medium | 4.6 |
| 3025637 | [CVE-2021-21492] Content spoofing in NetWeaver AS Java HTTP Service Product - SAP NetWeaver AS for JAVA (HTTP Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 | Medium | 4.3 |
| 3025054 | [CVE-2021-27605] Missing Authorization check in HCM Travel Management Fiori Apps V2 Product - SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version - 608 | Medium | 4.3 |
________________________________________________________________________________
Vulnerability Type Distribution - April 2021
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (November 2020 – April 2021)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after March 9, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'March 10, 2021 - April 13, 2021' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.