This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 12th of October 2021, SAP Security Patch Day saw the release of 13 Security Notes. There was 1 update to previously released Patch Day Security Note.
List of security notes released on October Patch Day:
| Note# | Title | Priority | CVSS |
| 2622660 | Update to Security Note released on April 2018 Patch Day: | HotNews | 10 |
| 3101406 | Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance | HotNews | 9.8 |
| 3097887 | [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 | HotNews | 9.1 |
| 3077635 | [CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices Product - SAP SuccessFactors Mobile Application (for Android devices), Versions - <2108 | High | 7.8 |
| 3074693 | [CVE-2021-40500] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Reports) Product - SAP BusinessObjects Business Intelligence Platform (Crystal Reports), Versions - 420, 430 | Medium | 6.9 |
| 3074819 | [CVE-2021-38179] Information Disclosure in SAP Business One Product - SAP Business One, Version - 10.0 | Medium | 6.7 |
| 3079427 | [CVE-2021-38180] CSV Injection in SAP Business One Product - SAP Business One, Version - 10.0 | Medium | 6.5 |
| 3080710 | [CVE-2021-38181] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 | Medium | 6.5 |
| 3100882 | [CVE-2021-40499] Code Injection vulnerability for SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint) Product - SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint), Versions - 7.70, 7.70 PI, 7.70BYD | Medium | 6.4 |
| 3055347 | Cross-Site Scripting (XSS) vulnerability in SAPUI5 Related CVE - CVE-2020-11023 Product - SAPUI5, Versions - 750, 753, 754 | Medium | 6.1 |
| 3084937 | [CVE-2021-38183] Cross-Site Scripting (XSS) vulnerability in cms Service of SAP NetWeaver Product - SAP NetWeaver, Versions - 700, 701, 702, 730 | Medium | 5.4 |
| 3099011 | [CVE-2021-40495] Denial of Service (DOS) in SAP NetWeaver Application Server for ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 740, 750, 751, 752, 753, 754, 755 | Medium | 5.3 |
| 3098917 | [CVE-2021-40497] Information Disclosure in SAP BusinessObjects Analysis (edition for OLAP) Product - SAP BusinessObjects Analysis, (edition for OLAP), Versions - 420, 430 | Medium | 4.3 |
| 3087254 | [CVE-2021-40496] Improper Access Control in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785 | Medium | 4.3 |
, ________________________________________________________________________________
Vulnerability Type Distribution - October 2021
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (May – October 2021)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after September 14, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'September 15, 2021 - October 12, 2021' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.