Child pages
  • SAP Security Patch Day – September 2021
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 14th of September 2021, SAP Security Patch Day saw the release of 17 Security Notes. There were 2 updates to previously released Patch Day Security Note.

List of security notes released on September Patch Day:

Note#TitleSeverityCVSS
2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5

HotNews10
3078609

[CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)
Product - SAP NetWeaver Application Server Java (JMS Connector Service) , Versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

HotNews10
3071984

Update to Security Note released on August 2021 Patch Day:
[CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One
Product - SAP Business One, Versions - 10.0

HotNews9.9
3089831

[CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework
Product - SAP S/4HANA, Versions - 1511, 1610, 1709, 1809, 1909, 2020, 2021
ProductSAP LT Replication Server, Versions - 2.0, 3.0 
ProductSAP LTRS for S/4HANA, Version - 1.0
ProductSAP Test Data Migration Server, Version - 4.0
ProductSAP Landscape Transformation, Version - 2.0

HotNews9.9
3084487

[CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
Product - SAP NetWeaver (Visual Composer 7.0 RT) , Versions - 7.30, 7.31, 7.40, 7.50 

HotNews9.9
3081888

[CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms)
Product - SAP NetWeaver Knowledge Management XML Forms , Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50 

HotNews9.9
3073891

[CVE-2021-33672] Multiple vulnerabilities in SAP Contact Center
Additional CVEs - CVE-2021-33673, CVE-2021-33674, CVE-2021-33675
Product - SAP Contact Center, Version - 700

HotNews9.6
3080567

[CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher
Product - SAP Web Dispatcher , Versions - WEBDISP - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 

High8.9
3051787

[CVE-2021-38177] Null Pointer Dereference vulnerability in SAP CommonCryptoLib
Product - SAP CommonCryptoLib , Versions - 8.5.38 or lower 

High7.5
3069032

[CVE-2021-33685] Directory Traversal vulnerability in SAP Business One
Product - SAP Business One, Versions - 10.0

Medium6.5
3082500

[CVE-2021-38175] Information Disclosure in SAP Analysis for Microsoft Office
Product - SAP Analysis for Microsoft Office , Version - 2.8 

Medium6.5
3060621

[CVE-2021-38150] Information disclosure in SAP Business Client
Product - SAP Business Client , Versions - 7.0, 7.70 

Medium6.1
3055180

[CVE-2021-33679] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace)
Product - SAP BusinessObjects Business Intelligence Platform (BI Workspace) , Version - 420 

Medium5.4
3068582

[CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR
Product - SAP ERP Financial Accounting (RFOPENPOSTING_FR) , Versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105 

Medium5.4
3070138

[CVE-2021-33686] Information Disclosure in SAP Business One
Product - SAP Business One, Version - 10.0

Medium5.3
3082219

[CVE-2021-21489] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product SAP NetWeaver Enterprise Portal, Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 

Medium4.8
3069882

[CVE-2021-33688] SQL Injection vulnerability in SAP Business One
Product - SAP Business One, Version - 10.0

Medium4.3
3075546

[CVE-2021-37532] Directory Listing Enabled in SAP Business One
Product - SAP Business One, Version - 10.0

Medium4.3
3087791

[CVE-2021-38174] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product - SAP 3D Visual Enterprise Viewer, Version - 9.0

Medium4.3


Vulnerability Type Distribution -  September 2021

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (April– September 2021)**


* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after August 10, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'August 11, 2021 - September 14, 2021' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels