SAP’s security patch day for December 2021 has seen the release of 0 new OSS SAP security notes and 5 updates to existing notes. 1 note has been classified as low, 4 notes have been classified as medium, 5 as high, and 4 as critical, based on CVSS v3.0 Rating.
3 notes have been released for SAP Commerce and 2 for SAP NetWeaver AS ABAP. Single notes have been released for SAP Business Client, SAP S/4HANA, SAP Knowledge Warehouse, SAP SuccessFactors, SAP Web Dispatcher, SAP 3D Visual Enterprise Viewer, SAP BusinessObjects, SAP GRC Access Control and SAPUI5.
Vulnerabilities: December 2021 Highlights
[CVE-2021-44231] Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools) (SAP Note 3119365)
An attacker with low privilege can use a weakness in text extraction reports in Translations Tools to run commands in the background of the system. This could compromise all data.
[CVE-2021-42064] SQL Injection vulnerability in SAP Commerce (SAP Note 3114134)
SAP Commerce, under certain circumstances, allows an attacker to execute crafted database queries, exposing the backend database. Any SAP Commerce installation using Oracle database is impacted.
[CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse (SAP Note 3102769)
A security vulnerability has been discovered in the SAP Knowledge Warehouse (SAP KW). The usage of one SAP KW component within a web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclosing sensitive data.
[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP (SAP Note 3123196)
SAP NetWeaver AS ABAP allows an attacker with high privileges and with direct access to SAP System, to inject code when executing with transaction SE24.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
