This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 14th of September 2021, SAP Security Patch Day saw the release of 17 Security Notes. There were 2 updates to previously released Patch Day Security Note.
List of security notes released on September Patch Day:
Update to Security Note released on April 2018 Patch Day:
[CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)
Update to Security Note released on August 2021 Patch Day:
[CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework
[CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
[CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms)
[CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher
[CVE-2021-38177] Null Pointer Dereference vulnerability in SAP CommonCryptoLib
[CVE-2021-33685] Directory Traversal vulnerability in SAP Business One
[CVE-2021-38175] Information Disclosure in SAP Analysis for Microsoft Office
[CVE-2021-38150] Information disclosure in SAP Business Client
[CVE-2021-33679] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace)
[CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR
[CVE-2021-33686] Information Disclosure in SAP Business One
[CVE-2021-21489] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
[CVE-2021-33688] SQL Injection vulnerability in SAP Business One
[CVE-2021-37532] Directory Listing Enabled in SAP Business One
[CVE-2021-38174] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Vulnerability Type Distribution - September 2021
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (April– September 2021)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after August 10, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'August 11, 2021 - September 14, 2021' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at email@example.com with all your comments and feedback on this blog post.