W dniu 8 czerwca firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 17 nowych poprawek w tym 2 są krytyczne.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
| Note# | Title | Priority | CVSS |
| 3040210 | Update to Security Note Released on April 2021 Patch Day: [CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce Product– SAP Commerce, Versions – 1808, 1811, 1905, 2005, 2011 |
Hot News | 9.9 |
| 3007182 | [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 700,701,702,731,740,750,751,752,753,754,755,804 |
Hot News | 9 |
| 3053066 | [CVE-2021-27635] Missing XML Validation in SAP NetWeaver AS for JAVA Product – SAP NetWeaver AS for JAVA, Versions – 7.20, 7.30, 7.31, 7.40, 7.50 |
High | 8.7 |
| 3020209 | [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform CVEs – CVE-2021-27606, CVE-2021-27629, CVE-2021-27630, CVE-2021-27631, CVE-2021-27632 Product – SAP NetWeaver AS for ABAP (RFC Gateway), Versions – KRNL32NUC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83 |
High | 7.5 |
| 3020104 | [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform CVEs – CVE-2021-27597, CVE-2021-27633, CVE-2021-27634 Product – SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), Versions – KRNL32NUC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73 |
High | 7.5 |
| 3021197 | [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform CVEs – CVE-2021-27607, CVE-2021-27628 Product – SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), Versions – KRNL32NUC – 7.22,7.22EXT, KRNL32UC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83 |
High | 7.5 |
| 3058382 | [CVE-2021-33662] Information Disclosure in SAP Business One Product – SAP Business One, Version – 10.0 |
Medium | 6.7 |
| 3030961 | [CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution Product – SAP Manufacturing Execution, Versions – 15.1, 1.5.2, 15.3, 15.4 |
Medium | 6.4 |
| 3002517 | [CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform Product – SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions – 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 |
Medium | 6.3 |
| 3004043 | [CVE-2021-21490] Cross-Site Scripting (XSS) vulnerability in SAP Netweaver AS for ABAP (Web Survey) Product – SAP NetWeaver AS for ABAP (Web Survey), Versions – 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F |
Medium | 6.1 |
| 3021050 | [Multiple CVEs] Memory Corruption vulnerability in SAP IGS CVEs – CVE-2021-27620, CVE-2021-27622, CVE-2021-27623, CVE-2021-27624, CVE-2021-27625, CVE-2021-27626, CVE-2021-27627 Product – SAP NetWeaver AS (Internet Graphics Server – Portwatcher), Versions – 7.20,7.20EXT,7.53,7.20_EX2,7.81 |
Medium | 5.9 |
| 3049879 | [CVE-2021-27637] Information Disclosure in SAP Enable Now (SAP Workforce Performance Builder – Manager) Product – SAP Enable Now (SAP Workforce Performance Builder – Manager), Versions – 10.0, 1.0 |
Medium | 5.9 |
| 3030604 | [CVE-2021-33663] Plaintext command injection in SAP NetWeaver AS ABAP Product – SAP NetWeaver AS ABAP, Versions – KRNL32NUC – 7.22,7.22EXT, KRNL32UC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84 |
Medium | 5.8 |
| 3023299 | [CVE-2021-27621] Information Disclosure in SAP NetWeaver AS JAVA (UserAdmin Application) Product – SAP NetWeaver AS for Java (UserAdmin), Versions – 7.11,7.20,7.30,7.31,7.40,7.50 |
Medium | 5.5 |
| 3025604 | [CVE-2021-33664] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on Web Dynpro ABAP) Product – SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), Versions – SAP_UI – 750,752,753,754,755, SAP_BASIS – 702, 31 |
Medium | 5.4 |
| 3028370 | [CVE-2021-33665] Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on SAP GUI for HTML) Product – SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), Versions – KRNL64NUC – 7.49, KRNL64UC – 7.49,7.53, KERNEL – 7.49,7.53,7.77,7.81,7.84 |
Medium | 5.4 |
| 2985562 | [CVE-2021-33666] MIME Sniffing Vulnerability in SAP Commerce Cloud Product – SAP Commerce Cloud, Version – 100 |
Medium | 4.7 |
| 3059999 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer CVEs – CVE-2021-27638, CVE-2021-27639, CVE-2021-27640, CVE-2021-33659, CVE-2021-27642, CVE-2021-33661, CVE-2021-27641, CVE-2021-27643, CVE-2021-33660 Product – SAP 3D Visual Enterprise Viewer, Version – 9 |
Medium | 4.3 |
| 3025054 | Update to Security Note Released on April 2021 Patch Day: [CVE-2021-27605] Missing Authorization check in HCM Travel Management Fiori Apps V2 Product – SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version – 608 |
Medium | 4.3 |
+48 22242 1996
+48 571 207 996
cert@pse.pl 
klucz publiczny