W dniu 13 kwietnia firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 14 nowych poprawek w tym 3 są krytyczne.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
| Note# | Title | Priority | CVSS |
| 2622660 | Update to Security Note released on August 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product – SAP Business Client, Version – 6.5 |
Hot News | 10 |
| 3040210 | [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce Product – SAP Commerce, Versions – 1808, 1811, 1905, 2005, 2011 |
Hot News | 9.9 |
| 3022422 | Update to Security Note released on March 2021 Patch Day: [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) Product – SAP NetWeaver AS JAVA (MigrationService), Versions – 7.10, 7.11, 7.30, 7.31, 7.40, 7.50 |
Hot News | 9.6 |
| 3017908 | [CVE-2021-21482] Information Disclosure in SAP NetWeaver Master Data Management Product – SAP NetWeaver Master Data Management, Versions – 710, 710.750 |
High | 8.3 |
| 3017823 | [CVE-2021-21483] Information Disclosure in SAP Solution Manager Product – SAP Solution Manager, Version – 7.20 |
High | 8.2 |
| 2993132 | Update to Security Note released on December 2020 Patch Day: [CVE-2020-26832] Missing Authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) Product – SAP NetWeaver AS ABAP (SAP Landscape Transformation – DMIS), Versions – 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 Product – SAP S4 HANA (SAP Landscape Transformation), Versions – 101, 102, 103, 104, 105 |
High | 7.6 |
| 3039649 | [CVE-2021-27608] Unquoted Search Path in SAPSetup Product – SAP Setup, Version – 9.0 |
High | 7.5 |
| 3001824 | [CVE-2021-21485] Information Disclosure in SAP NetWeaver AS for Java (Telnet Commands) Product – SAP NetWeaver AS for JAVA (Telnet Commands), Versions – ENGINEAPI – 7.30, 7.31, 7.40, 7.50, ESP_FRAMEWORK – 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SERVERCORE – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, J2EE-FRMW – 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 |
High | 7.4 |
| 3027937 | [CVE-2021-27598] Improper Access Control in SAP NetWeaver AS for Java (Customer Usage Provisioning Servlet) Product – SAP NetWeaver AS for JAVA (Customer Usage Provisioning Servlet), Versions – 7.31, 7.40, 7.50 |
Medium | 6.5 |
| 3028729 | [CVE-2021-27603] Denial of Service(DoS) in SAP NetWeaver AS of ABAP Product – SAP NetWeaver AS for ABAP, Versions – 731, 740, 750 |
Medium | 6.5 |
| 3012277 | [CVE-2021-27599] Information Disclosure in SAP Process Integration (Integration Builder Framework) Product – SAP Process Integration (Integration Builder Framework), Versions – 7.10, 7.30, 7.31, 7.40, 7.50 |
Medium | 6.5 |
| 3036436 | [CVE-2021-27604] Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings) Product – SAP Process Integration (Enterprise Service Repository JAVA Mappings), Versions – 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 6.5 |
| 3024414 | [CVE-2021-27600] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution (System Rules) Product – SAP Manufacturing Execution (System Rules), Versions – 15.1, 15.2, 15.3, 15.4 |
Medium | 6.4 |
| 2963592 | [CVE-2021-27601] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (Applications based on HTMLB for Java) Product – SAP NetWeaver AS for Java (Applications based on HTMLB for Java) , Versions – EP-BASIS – 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, FRAMEWORK-EXT – 7.30, 7.31, 7.40, 7.50, FRAMEWORK – 7.10, 7.11 |
Medium | 5.4 |
| 3036679 | Update to Security Note released on October 2011 Patch Day: Update 1 to Security Note 1576763: Potential information disclosure relating to usernames Product – SAP NetWeaver AS ABAP , Versions – 7.30 |
Medium | 5.3 |
| 2976947 | Update to Security Note released on March 2021 Patch Day: [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java) Product – SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions – 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 |
Medium | 4.7 |
| 3030948 | [CVE-2021-27609] Missing Authorization check in SAP Focused RUN Product – SAP Focused RUN, Versions – 200, 300 |
Medium | 4.6 |
| 3025637 | [CVE-2021-21492] Content spoofing in NetWeaver AS Java HTTP Service Product – SAP NetWeaver AS for JAVA (HTTP Service), Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 |
Medium | 4.3 |
+48 22242 1996
+48 571 207 996
cert@pse.pl 
klucz publiczny