SAP Security Notes Review: July 2021

SAP Security Notes July 2021

Share This Post

SAP’s security patch day for July 2021 has seen the release of 14 OSS SAP security notes. 1 note has been classified as low, 9 notes have been classified medium, 2 as high and 2 as critical, based on CVSS v3.0 Rating.

 

4 OSS notes have been released this month for SAP NetWeaver AS ABAP.  3 notes have been released for SAP NetWeaver AS JAVA. Single notes have been released for SAP Business Client, SAP Web Dispatcher, SAP Business Objects, SAP 3D Visual Enterprise Viewer, SAP Lumira Server, SAP NetWeaver Guided Procedures and SAP CRM ABAP.

 

 

Vulnerabilities: July 2021 Highlights

[CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager (SAP Note 3000663)

The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. An attacker could exploit this vulnerability to bypass web application firewall protection, divert sensitive data such as customer requests, session credentials, etc.

 

[CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service) (SAP Note 3056652)

SAP NetWeaver AS Java Http Service allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Impacts of the vulnerability include long response delays and service interruptions, thus degrading the service quality experienced by legitimate users and direct impact on availability.

 

[CVE-2021-33684] Memory Corruption in SAP NetWeaver AS ABAP and ABAP Platform (SAP Note 3032624)

 

About this review

On the second Tuesday of each month, SAP release security updates to their software products.  At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

Search by a topic below...

Read our latest articles...

Didn’t find what you are looking for? Send us your questions.

We are here to help.
Colleagues at work at Absoft SAP Consultancy