Child pages
  • SAP Security Patch Day – June 2021
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 8th of June 2021, SAP Security Patch Day saw the release of 17 Security Notes. There were 2 updates to previously released Patch Day Security Notes.

List of security notes released on June Patch Day:

Note#TitlePriorityCVSS
3040210Update to Security Note Released on April 2021 Patch Day:
[CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce
Product- SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011 
Hot News9.9
3007182[CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700,701,702,731,740,750,751,752,753,754,755,804  
Hot News9
3053066[CVE-2021-27635] Missing XML Validation in SAP NetWeaver AS for JAVA
Product - SAP NetWeaver AS for JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
High8.7
3020209[Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
CVEs - CVE-2021-27606, CVE-2021-27629, CVE-2021-27630, CVE-2021-27631, CVE-2021-27632
Product - SAP NetWeaver AS for ABAP (RFC Gateway), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83
High7.5
3020104[Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
CVEs - CVE-2021-27597, CVE-2021-27633, CVE-2021-27634
Product - SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73
High7.5
3021197[Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
CVEs - CVE-2021-27607, CVE-2021-27628
Product - SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83
High7.5
3058382[CVE-2021-33662] Information Disclosure in SAP Business One
Product - SAP Business One, Version - 10.0
Medium6.7
3030961[CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution
Product - SAP Manufacturing Execution, Versions - 15.1, 1.5.2, 15.3, 15.4
Medium6.4
3002517[CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755  
Medium6.3
3004043[CVE-2021-21490] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver AS for ABAP (Web Survey)
Product - SAP NetWeaver AS for ABAP (Web Survey), Versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F
Medium6.1
3021050[Multiple CVEs] Memory Corruption vulnerability in SAP IGS
CVEs - CVE-2021-27620, CVE-2021-27622, CVE-2021-27623, CVE-2021-27624, CVE-2021-27625, CVE-2021-27626, CVE-2021-27627
Product - SAP NetWeaver AS (Internet Graphics Server – Portwatcher), Versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81
Medium5.9
3049879[CVE-2021-27637] Information Disclosure in SAP Enable Now (SAP Workforce Performance Builder - Manager)
Product - SAP Enable Now (SAP Workforce Performance Builder - Manager), Versions - 10.0, 1.0
Medium5.9
3030604[CVE-2021-33663] Plaintext command injection in SAP NetWeaver AS ABAP
Product - SAP NetWeaver AS ABAP, Versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84
Medium5.8
3023299[CVE-2021-27621] Information Disclosure in SAP NetWeaver AS JAVA (UserAdmin Application)
Product - SAP NetWeaver AS for Java (UserAdmin), Versions - 7.11,7.20,7.30,7.31,7.40,7.50
Medium5.5
3025604[CVE-2021-33664] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on Web Dynpro ABAP)
Product - SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), Versions - SAP_UI – 750,752,753,754,755, SAP_BASIS – 702, 31
Medium5.4
3028370[CVE-2021-33665] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on SAP GUI for HTML)
Product - SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), Versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84
Medium5.4
2985562[CVE-2021-33666] MIME Sniffing Vulnerability in SAP Commerce Cloud
Product - SAP Commerce Cloud, Version - 100
Medium4.7
3059999[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
CVEs - CVE-2021-27638, CVE-2021-27639, CVE-2021-27640, CVE-2021-33659, CVE-2021-27642, CVE-2021-33661, CVE-2021-27641, CVE-2021-27643, CVE-2021-33660
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium4.3
3025054Update to Security Note Released on April 2021 Patch Day:
[CVE-2021-27605] Missing Authorization check in HCM Travel Management Fiori Apps V2
Product SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version - 608
Medium4.3


, ________________________________________________________________________________

Vulnerability Type Distribution -  June 2021

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (January – June 2021)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after May 11, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'May 12, 2021 - June 8, 2021' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels