SAP’s security patch day for February 2021 has seen the release of 7 OSS SAP security notes and 6 updates to existing notes. 8 OSS notes have been classified as medium, 2 OSS notes have been classified as high, and 3 as critical, based on CVSS v3.0 Rating.
2 OSS notes have been released this month for SAP NetWeaver AS ABAP and SAP UI. Single notes have been released for SAP Business Client, SAP Commerce, SAP Business Warehouse, SAP Software Provisioning Manager, SAP BusinessObjects, SAP NetWeaver Process Integration, SAP NetWeaver Master Data Management, SAP Web Dynpro ABAP and SAP HANA
Vulnerabilities: February 2021 Highlights
[CVE-2021-21477] Remote Code Execution vulnerability in SAP Commerce (SAP Note 3014121)
SAP Commerce Backoffice application enables certain users with required privileges to edit drools rules. An authenticated attacker with this privilege will be able to inject malicious code in the drools rules which, when executed, leads to Remote Code Execution vulnerability. This only affects installations that have the rule engine extension installed.
[CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data Management 7.1 (SAP Note 2998173)
During the installation of a SAP NetWeaver Master Data Management (MDM) system using Software Provisioning Manager (SWPM) there is no option to set a server password. It is recommended to set a password as soon as MDM is installed.
[CVE-2021-21444] Clickjacking vulnerability in SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) (SAP Note 2935791)
SAP Business Object allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. The user could be tricked into clicking something different than what is perceived, thus potentially revealing information or allowing an attacker to take control of the computer.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
