This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 9th of November 2021, SAP Security Patch Day saw the release of 5 Security Notes. There were 2 updates to previously released Patch Day Security Notes.
List of security notes released on November Patch Day:
| Note# | Title | Priority | CVSS |
| 3099776 | [CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel Product - SAP ABAP Platform Kernel, Versions - 7.77, 7.81, 7.85, 7.86 | Hot News | 9.6 |
| 3110328 | [CVE-2021-40502] Missing Authorization check in SAP Commerce Product - SAP Commerce, Versions - 2105.3, 2011.13, 2005.18, 1905.34 | High | 8.3 |
| 2971638 | Update to Security Note released on October 2020 Patch Day: [CVE-2020-6369] Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Product- CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run), Versions - 9.7, 10.1, 10.5, 10.7 | High | 7.5 |
| 3080106 | [CVE-2021-40503] Information Disclosure in SAP GUI for Windows Product - SAP GUI for Windows, Versions - < 7.60 PL13, 7.70 PL4 | Medium | 6.8 |
| 3104456 | [CVE-2021-42062] Missing Authorization check in SAP ERP HCM Product - SAP ERP HCM Portugal, Versions - 600, 604, 608 | Medium | 6.5 |
| 3068582 | Update to Security Note released on September 2021 Patch Day: [CVE-2021-38164] Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR Product - SAP ERP Financial Accounting (RFOPENPOSTING_FR) , Versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105 | Medium | 5.4 |
| 3105728 | [CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 | Medium | 4.9 |
, ________________________________________________________________________________
Vulnerability Type Distribution - November 2021
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (June – November 2021)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after October 12, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'October 13, 2021 - November 9, 2021' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.