W dniu 9 marca firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 13 nowych poprawek w tym 4 są krytyczne.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note# Title Priority CVSS
2890213 Update to security note released on March 2020 Patch Day:
[CVE-2020-6207Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
Product – SAP Solution Manager (User Experience Monitoring), Version – 7.2 
Hot News 10
2622660 Update to security note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5
Hot News 10
3022622 [CVE-2021-21480Code Injection Vulnerability in SAP MII
Product – SAP Manufacturing Integration and Intelligence, Versions – 15.1, 15.2, 15.3, 15.4 
Hot News 9.9
3022422 [CVE-2021-21481Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
Product – SAP NetWeaver AS JAVA (MigrationService), Versions – 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
Hot News 9.6
3017378 [CVE-2021-21484Possible authentication bypass in SAP HANA LDAP scenarios
Product – SAP HANA, Version – 2.0
High 7.7
3007888 [CVE-2021-21486Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts)
Product – SAP Enterprise Financial Services (Bank Customer Accounts), Versions – 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800 
Medium 6.8
2983436 [CVE-2021-21488Insecure Deserialisation in SAP NetWeaver Knowledge Management
Product – SAP NetWeaver Knowledge Management, Versions – 7.01, 7.02, 7.30,7.31, 7.40, 7.50 
Medium 6.8
3023778 [CVE-2021-21487Missing Authorization Check in Payment Engine
Product – SAP Payment Engine, Version – 500
Medium 6.8
2943844 Update to security note released on October 2020 Patch Day:
[CVE-2020-6308Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services)
Product – SAP BusinessObjects Business Intelligence Platform (Web Services), Versions – 410, 420, 430 
Medium 5.3
2976947 [CVE-2021-21491Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
Product – SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions – 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 
Medium 4.7
3027767 [CVE-2021-27592Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product – SAP 3D Visual Enterprise Viewer, Version – 9
Medium 4.3
3027758 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer  
Related CVEs – CVE-2021-27585CVE-2021-27586CVE-2021-27587CVE-2021-21493CVE-2021-27588CVE-2021-27591CVE-2021-27584CVE-2021-27589CVE-2021-27590
Product – SAP 3D Visual Enterprise Viewer, Version – 9
Medium 4.3
2944188 Update to security note released on November 2020 Patch Day:
[CVE-2020-6316Missing Authorization Check in SAP ERP and SAP S/4 HANA
Product – SAP ERP, Versions – 600, 602, 603, 604, 605, 606, 616, 617, 618
Product – SAP S/4 HANA, Versions – 100, 101, 102, 103, 104
Medium 4.3