Child pages
  • SAP Security Patch Day – April 2021
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 13th of April 2021, SAP Security Patch Day saw the release of 14 Security Notes. There were 5 updates to previously released Patch Day Security Notes.

List of security notes released on April Patch Day:

Note#TitlePriorityCVSS
2622660

Update to Security Note released on August 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5

Hot News10
3040210[CVE-2021-27602Remote Code Execution vulnerability in Source Rules of SAP Commerce
Product - SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011 
Hot News9.9
3022422Update to Security Note released on March 2021 Patch Day:
[
CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
Product SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Hot News9.6
3017908[CVE-2021-21482] Information Disclosure in SAP NetWeaver Master Data Management
Product SAP NetWeaver Master Data Management, Versions - 710, 710.750
High8.3
3017823[CVE-2021-21483] Information Disclosure in SAP Solution Manager
Product SAP Solution Manager, Version - 7.20
High8.2
2993132Update to Security Note released on December 2020 Patch Day:
[CVE-2020-26832] Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation)
Product - SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
Product - SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105 
High7.6
3039649[CVE-2021-27608] Unquoted Search Path in SAPSetup
Product - SAP Setup, Version - 9.0
High7.5
3001824[CVE-2021-21485] Information Disclosure in SAP NetWeaver AS for Java (Telnet Commands)
Product SAP NetWeaver AS for JAVA (Telnet Commands), Versions - ENGINEAPI - 7.30, 7.31, 7.40, 7.50, ESP_FRAMEWORK - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SERVERCORE - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, J2EE-FRMW - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 
High7.4
3027937[CVE-2021-27598] Improper Access Control in SAP NetWeaver AS for Java (Customer Usage Provisioning Servlet)
Product SAP NetWeaver AS for JAVA (Customer Usage Provisioning Servlet), Versions - 7.31, 7.40, 7.50 
Medium6.5
3028729[CVE-2021-27603] Denial of Service(DoS) in SAP NetWeaver AS of ABAP
Product SAP NetWeaver AS for ABAP, Versions - 731, 740, 750 
Medium6.5
3012277[CVE-2021-27599] Information Disclosure in SAP Process Integration (Integration Builder Framework)
Product SAP Process Integration (Integration Builder Framework), Versions - 7.10, 7.30, 7.31, 7.40, 7.50 
Medium6.5
3036436[CVE-2021-27604] Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings)
Product SAP Process Integration (Enterprise Service Repository JAVA Mappings), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium6.5
3024414[CVE-2021-27600] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution (System Rules)
Product SAP Manufacturing Execution (System Rules), Versions - 15.1, 15.2, 15.3, 15.4 
Medium6.4
2963592[CVE-2021-27601] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (Applications based on HTMLB for Java)
Product SAP NetWeaver AS for Java (Applications based on HTMLB for Java)  , Versions - EP-BASIS - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, FRAMEWORK-EXT - 7.30, 7.31, 7.40, 7.50, FRAMEWORK - 7.10, 7.11 
Medium5.4
3036679

Update to Security Note released on October 2011 Patch Day:
Update 1 to Security Note 1576763: Potential information disclosure relating to usernames
Product - SAP NetWeaver AS ABAP , Versions - 7.30

Medium5.3
2976947Update to Security Note released on March 2021 Patch Day:
[CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
Medium4.7
3030948[CVE-2021-27609] Missing Authorization check in SAP Focused RUN
Product - SAP Focused RUN, Versions - 200, 300
Medium4.6
3025637[CVE-2021-21492] Content spoofing in NetWeaver AS Java HTTP Service
Product - SAP NetWeaver AS for JAVA (HTTP Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium4.3
3025054[CVE-2021-27605] Missing Authorization check in HCM Travel Management Fiori Apps V2
Product SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version - 608
Medium4.3

________________________________________________________________________________

Vulnerability Type Distribution -  April 2021

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (November 2020 – April 2021)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after March 9, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'March 10, 2021 - April 13, 2021' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels