SAP Security Notes Review: May 2021
11th May 2021
SAP’s security patch day for May 2021 has seen the release of 6 OSS SAP security notes and 5 updates to existing notes. 1 OSS notes have been classified as low, 4 notes have been classified medium, 3 as high and 3 as critical, based on CVSS v3.0 Rating.
2 OSS notes have been released this month for SAP Business One and SAP Commerce. Single notes have been released for SAP Business Client, SAP NetWeaver AS ABAP, SAP Process Integration, SAP Focused Run, SAP GUI, SAP NetWeaver AS JAVA and SAP Business Warehouse.
Vulnerabilities: May 2021 Highlights
[CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver AS ABAP (SAP Note 3046610)
A programme in NetWeaver allows a malicious user to execute unauthorised commands. The attacker could access data, overwrite it, or execute a Denial-of-Service attack. SAP recommends disabling access to the programme.
[CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook) (SAP Note 3049755)
Under certain conditions, Chef business-one-cookbook, used to install SAP Business One, allows an attacker to exploit an insecure temporary folder for incoming and outgoing payroll data and to access information which would otherwise be restricted. Patching is recommended.
[CVE-2021-27616] Multiple vulnerabilities in SAP Business One, version for SAP HANA (Business-One-Hana-Chef-Cookbook) (SAP Note 3049661)
Along with the above, both an Information Disclosure and Code Injection vulnerability exist in SAP Business One for HANA. Again, patching is recommended.
[CVE-2021-27619] Information Disclosure in SAP Commerce (Backoffice search) (SAP Note 3039818)
Search functionality in SAP Commerce Backoffice web application is vulnerable to information disclosure. The search functionality allows the low privileged user to search in attributes that are not supposed to be displayed to the current user. New permissions are introduced in a patch now available.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.