This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 11th of May 2021, SAP Security Patch Day saw the release of 6 Security Notes. There were 5 updates to previously released Patch Day Security Notes.
List of security notes released on May Patch Day:
Update to Security Note released on August 2018 Patch Day:
|3040210||Update to Security Note released on April 2021 Patch Day:|
[CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce
Product - SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011
|2999854||Update to Security Note released on January 2021 Patch Day:|
[CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782
Product - SAP BW4HANA, Versions - 100, 200
|3046610||[CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver AS ABAP|
Product - SAP NetWeaver AS ABAP, Versions - 700,701,702,730,731
[CVE-2021-27616] Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook)
|3049755||[CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook)|
Product - SAP Business One (Cookbooks), Version - 0.1.9
|3039818||[CVE-2021-27619] Information Disclosure in SAP Commerce (Backoffice search)|
Product - SAP Commerce (Backoffice Search), Versions - 1808, 1811, 1905, 2005, 2011
|3012021||[Multiple CVEs] Multiple vulnerabilities in SAP Process Integration (Integration Builder Framework)|
CVEs - CVE-2021-27617, CVE-2021-27618
Product - SAP Process Integration (Integration Builder Framework), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
|2976947||Update to Security Note released on March 2021 Patch Day:|
[CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50
|3030948||Update to Security Note released on April 2021 Patch Day:|
[CVE-2021-27609] Missing Authorization check in SAP Focused RUN
Product - SAP Focused RUN, Versions - 200, 300
|3023078||[CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect users to an untrusted website|
Product - SAP GUI for Windows, Versions - 7.60, 7.70
Vulnerability Type Distribution - May 2021
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (December 2020 – May 2021)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after April 13, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'April 14, 2021 - May 11, 2021' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at firstname.lastname@example.org with all your comments and feedback on this blog post.