This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 10th of August 2021, SAP Security Patch Day saw the release of 14 Security Notes. There were 1 update to previously released Patch Day Security Note.
List of security notes released on August Patch Day:
Note# | Title | Severity | CVSS |
3071984 | [CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One Product - SAP Business One, Version - 10.0 | Hot News | 9.9 |
3072955 | [CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) Product - SAP NetWeaver Development Infrastructure (Component Build Service), Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 | Hot News | 9.9 |
3078312 | [CVE-2021-33701] SQL Injection vulnerability in SAP NZDT Row Count Reconciliation Product - DMIS Mobile Plug-In, Versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020 Product - SAP S/4HANA, Versions - SAPSCORE 125, S4CORE 102, 102, 103, 104, 105 | Hot News | 9.1 |
3073681 | [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 | High | 8.3 |
3072920 | [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal (Application Extensions), Versions - 7.30, 7.31, 7.40, 7.50 | High | 8.3 |
3074844 | [CVE-2021-33705] Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 | High | 8.1 |
3067219 | [CVE-2021-33699] Task Hijacking in SAP Fiori Client Native Mobile for Android Product - SAP Fiori Client Native Mobile for Android, Version - 3.2 | High | 7.6 |
3073325 | [CVE-2021-33700] Missing Authentication check in SAP Business One Product - SAP Business One, Version - 10.0 | High | 7 |
3073450 | [CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service) Product - SAP NetWeaver Development Infrastructure (Notification Service), Versions - 7.31, 7.40, 7.50 | Medium | 6.9 |
3058553 | [CVE-2021-33695] Multiple Vulnerabilities in SAP Cloud Connector Additional CVEs - CVE-2021-33694, CVE-2021-33693, CVE-2021-33692 Product - SAP Cloud Connector, Version - 2.0 | Medium | 6.8 |
3078072 | [CVE-2021-33704] Missing Authorization Check in SAP Business One (Service Layer) Product - SAP Business One, Version - 10.0 | Medium | 6.3 |
3002517 | Update to Security Note release on June 2021 Patch Day: [CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 | Medium | 6.3 |
3076399 | [CVE-2021-33707] URL Redirection vulnerability in SAP NetWeaver (Knowledge Management) Product - SAP NetWeaver (Knowledge Management), Versions - 7.30, 7.31, 7.40, 7.50 | Medium | 6.1 |
3062085 | [CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report) Product - SAP BusinessObjects Business Intelligence Platform (Crystal Report), Versions - 420, 430 | Medium | 5.4 |
3063048 | [CVE-2021-33697] Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5) Product - SAP BusinessObjects Business Intelligence Platform (SAPUI5), Versions - 420, 430 | Medium | 4.7 |
________________________________________________________________________________
Vulnerability Type Distribution - August 2021
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (March – August 2021)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after July 13, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'July 14, 2021 - August 10, 2021' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.