SAP’s security patch day for August 2021 has seen the release of 14 OSS SAP security notes. No notes have been classified as low, 7 notes have been classified medium, 5 as high and 2 as critical, based on CVSS v3.0 Rating.
3 OSS notes each have been released this month for SAP NetWeaver Enterprise Portal and SAP Business One. 2 notes have been released for SAP Business Objects Business Intelligence Platform. Single notes have been released for SAP NetWeaver AS ABAP, SAP Cloud Connector, SAP Fiori Client Native Mobile for Android, SAP NetWeaver Development Infrastructure, SAP NetWeaver Knowledge Management, and SAP NZDT Row Count Reconciliation.
Vulnerabilities: August 2021 Highlights
[CVE-2021-33696] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (SAP Note 3062085)
SAP BusinessObjects Business Intelligence Platform (Crystal Report) does not sufficiently encode user-controlled inputs and therefore an authorized attacker can exploit XSS vulnerability. The potential impacts of the vulnerability are:
• Non-permanently deface or modify displayed content from the Web site
• Steal authentication information of the user, such as data relating to the current session
• Impersonate the user and access all information with the same rights as the target user
[CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform (SAP Note 3002517)
SAP NetWeaver AS ABAP and ABAP Platform allow a low privileged attacker to execute reports by using a remote-enabled function module over the network. Due to a lack of input validation, the function module enables an otherwise not authorized user to execute reports in SAP.
[CVE-2021-33698] Unrestricted File Upload vulnerability in SAP Business One (SAP Note 3071984)
SAP Business One allows an attacker with business authorization to upload any files (including script files) without the proper file format validation.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.