Child pages
  • SAP Security Patch Day – October 2021
Skip to end of metadata
Go to start of metadata

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 12th of October 2021, SAP Security Patch Day saw the release of 13 Security Notes. There was 1 update to previously released Patch Day Security Note.

List of security notes released on October Patch Day:

Note#TitlePriorityCVSS
2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5

HotNews10
3101406

Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance
Related CVEs - CVE-2020-10683CVE-2021-23926
Product - SAP Environmental Compliance, Version - 3.0

HotNews9.8
3097887[CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756  
HotNews9.1
3077635[CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices
Product - SAP SuccessFactors Mobile Application (for Android devices), Versions - <2108 
High7.8
3074693[CVE-2021-40500] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Reports)
Product - SAP BusinessObjects Business Intelligence Platform (Crystal Reports), Versions - 420, 430
Medium6.9
3074819[CVE-2021-38179] Information Disclosure in SAP Business One
Product - SAP Business One, Version - 10.0
Medium6.7
3079427[CVE-2021-38180] CSV Injection in SAP Business One
Product - SAP Business One, Version - 10.0
Medium6.5
3080710[CVE-2021-38181] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 
Medium6.5
3100882[CVE-2021-40499] Code Injection vulnerability for SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)
Product - SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint), Versions - 7.70, 7.70 PI, 7.70BYD 
Medium6.4
3055347Cross-Site Scripting (XSS) vulnerability in SAPUI5
Related CVE CVE-2020-11023
Product - SAPUI5, Versions - 750, 753, 754
Medium6.1
3084937[CVE-2021-38183] Cross-Site Scripting (XSS) vulnerability in cms Service of SAP NetWeaver
Product - SAP NetWeaver, Versions - 700, 701, 702, 730 
Medium5.4
3099011[CVE-2021-40495] Denial of Service (DOS) in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 740, 750, 751, 752, 753, 754, 755 
Medium5.3
3098917[CVE-2021-40497] Information Disclosure in SAP BusinessObjects Analysis (edition for OLAP)
Product - SAP BusinessObjects Analysis, (edition for OLAP), Versions - 420, 430
Medium4.3
3087254[CVE-2021-40496] Improper Access Control in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785 
Medium4.3

, ________________________________________________________________________________

Vulnerability Type Distribution -  October 2021

#Multiple vulnerabilities on same product can be fixed by one security note. 


Security Notes vs Priority Distribution (May – October 2021)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after September 14, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'September 15, 2021 - October 12, 2021' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on this blog post.

SAP Product Security Response Team

  • No labels