This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 8th of June 2021, SAP Security Patch Day saw the release of 17 Security Notes. There were 2 updates to previously released Patch Day Security Notes.
List of security notes released on June Patch Day:
Note# | Title | Priority | CVSS |
3040210 | Update to Security Note Released on April 2021 Patch Day: [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce Product- SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011 | Hot News | 9.9 |
3007182 | [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700,701,702,731,740,750,751,752,753,754,755,804 | Hot News | 9 |
3053066 | [CVE-2021-27635] Missing XML Validation in SAP NetWeaver AS for JAVA Product - SAP NetWeaver AS for JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50 | High | 8.7 |
3020209 | [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform CVEs - CVE-2021-27606, CVE-2021-27629, CVE-2021-27630, CVE-2021-27631, CVE-2021-27632 Product - SAP NetWeaver AS for ABAP (RFC Gateway), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83 | High | 7.5 |
3020104 | [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform CVEs - CVE-2021-27597, CVE-2021-27633, CVE-2021-27634 Product - SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73 | High | 7.5 |
3021197 | [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform CVEs - CVE-2021-27607, CVE-2021-27628 Product - SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), Versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83 | High | 7.5 |
3058382 | [CVE-2021-33662] Information Disclosure in SAP Business One Product - SAP Business One, Version - 10.0 | Medium | 6.7 |
3030961 | [CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution Product - SAP Manufacturing Execution, Versions - 15.1, 1.5.2, 15.3, 15.4 | Medium | 6.4 |
3002517 | [CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 | Medium | 6.3 |
3004043 | [CVE-2021-21490] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver AS for ABAP (Web Survey) Product - SAP NetWeaver AS for ABAP (Web Survey), Versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F | Medium | 6.1 |
3021050 | [Multiple CVEs] Memory Corruption vulnerability in SAP IGS CVEs - CVE-2021-27620, CVE-2021-27622, CVE-2021-27623, CVE-2021-27624, CVE-2021-27625, CVE-2021-27626, CVE-2021-27627 Product - SAP NetWeaver AS (Internet Graphics Server – Portwatcher), Versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81 | Medium | 5.9 |
3049879 | [CVE-2021-27637] Information Disclosure in SAP Enable Now (SAP Workforce Performance Builder - Manager) Product - SAP Enable Now (SAP Workforce Performance Builder - Manager), Versions - 10.0, 1.0 | Medium | 5.9 |
3030604 | [CVE-2021-33663] Plaintext command injection in SAP NetWeaver AS ABAP Product - SAP NetWeaver AS ABAP, Versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84 | Medium | 5.8 |
3023299 | [CVE-2021-27621] Information Disclosure in SAP NetWeaver AS JAVA (UserAdmin Application) Product - SAP NetWeaver AS for Java (UserAdmin), Versions - 7.11,7.20,7.30,7.31,7.40,7.50 | Medium | 5.5 |
3025604 | [CVE-2021-33664] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on Web Dynpro ABAP) Product - SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), Versions - SAP_UI – 750,752,753,754,755, SAP_BASIS – 702, 31 | Medium | 5.4 |
3028370 | [CVE-2021-33665] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on SAP GUI for HTML) Product - SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), Versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84 | Medium | 5.4 |
2985562 | [CVE-2021-33666] MIME Sniffing Vulnerability in SAP Commerce Cloud Product - SAP Commerce Cloud, Version - 100 | Medium | 4.7 |
3059999 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer CVEs - CVE-2021-27638, CVE-2021-27639, CVE-2021-27640, CVE-2021-33659, CVE-2021-27642, CVE-2021-33661, CVE-2021-27641, CVE-2021-27643, CVE-2021-33660 Product - SAP 3D Visual Enterprise Viewer, Version - 9 | Medium | 4.3 |
3025054 | Update to Security Note Released on April 2021 Patch Day: [CVE-2021-27605] Missing Authorization check in HCM Travel Management Fiori Apps V2 Product - SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version - 608 | Medium | 4.3 |
, ________________________________________________________________________________
Vulnerability Type Distribution - June 2021
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (January – June 2021)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after May 11, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'May 12, 2021 - June 8, 2021' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.