SAP’s security patch day for October 2021 has seen the release of 13 new OSS SAP security notes and 1 update to an existing note. No notes have been classified as low, 10 notes have been classified medium, 1 as high and 3 as critical, based on CVSS v3.0 Rating.
5 OSS notes have been released this month for SAP NetWeaver AS ABAP and 2 notes have been released for SAP BusinessObjects and SAP Business One. Single notes have been released for SAP Business Client, SAP Environmental Compliance, SAP SuccessFactors and SAPUI5.
Vulnerabilities: October 2021 Highlights
[CVE-2020-10683, CVE-2021-23926] Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance (SAP Note 3101406)
Data Import from Excel Template functionality in SAP Environmental Compliance uses open source software that has been discovered to contain vulnerabilities.
[CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform (SAP Note 3097887)
A malicious user with developer and administrator permission may use tools of the software logistics system without any check of authorisations.
[CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices (SAP Note 3077635)
A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service.
[CVE-2021-40500] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Reports) (SAP Note 3074693)
SAP BusinessObjects Business Intelligence Platform (Crystal Reports) allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
