SAP’s security patch day for June 2021 has seen the release of 17 OSS SAP security notes and 2 updates to existing notes. 13 notes have been classified medium, 4 as high and 2 as critical, based on CVSS v3.0 Rating.
10 OSS notes have been released this month for SAP NetWeaver AS ABAP. 2 notes have been released for SAP NetWeaver AS JAVA and SAP Commerce. Single notes have been released for SAP Business One, SAP Enable Now, SAP 3D Visual Enterprise Viewer, SAP Fiori, and SAP Manufacturing Execution
Vulnerabilities: May 2021 Highlights
[CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform (SAP Note 3007182)
A malicious user is able to intercept credentials from a communication (HTTP or RFC) between a SAP server and an external server. This is due to SAP NetWeaver ABAP Server and ABAP Platform not creating information about internal and external RFC user in distinguished and consistent format. No workaround has been released for this issue so patching of the Kernel and implementation of the note is required.
[CVE-2021-27635] Missing XML Validation in SAP NetWeaver AS for JAVA (SAP Note 3053066)
A malicious user with administrator privileges can attack a SAP NetWeaver AS for JAVA system which is under construction. This is done by submitting a XML file, which the XML parser is not configured to validate so external entries are not allowed. Patching is needed to resolve this issue.
Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (SAP Notes 3020209, 3020104 and 3021197)
SAP have released three notes which deal with the same issue, an attacker, without knowledge of the system, can send a packet over the network with will crash the system and render it unavailable. Again, patching is recommended to close the vulnerability.
[CVE-2021-33662] Information Disclosure in SAP Business One (SAP Note 3058382)
Under certain conditions, the installation of SAP Business One discloses sensitive information on the file system allowing an attacker to access information which would otherwise be restricted. The old information can be removed from the log file.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
