W dniu 8 czerwca firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 17 nowych poprawek w tym 2 są krytyczne.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note# Title Priority CVSS
3040210 Update to Security Note Released on April 2021 Patch Day:
[CVE-2021-27602Remote Code Execution vulnerability in Source Rules of SAP Commerce
Product– SAP Commerce, Versions – 1808, 1811, 1905, 2005, 2011 
Hot News 9.9
3007182 [CVE-2021-27610Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 700,701,702,731,740,750,751,752,753,754,755,804
Hot News 9
3053066 [CVE-2021-27635Missing XML Validation in SAP NetWeaver AS for JAVA
Product – SAP NetWeaver AS for JAVA, Versions – 7.20, 7.30, 7.31, 7.40, 7.50
High 8.7
3020209 [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
CVEs – CVE-2021-27606CVE-2021-27629CVE-2021-27630CVE-2021-27631CVE-2021-27632
Product – SAP NetWeaver AS for ABAP (RFC Gateway), Versions – KRNL32NUC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83
High 7.5
3020104 [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
CVEs – CVE-2021-27597CVE-2021-27633CVE-2021-27634
Product – SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), Versions – KRNL32NUC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73
High 7.5
3021197 [Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
CVEs – CVE-2021-27607CVE-2021-27628
Product – SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), Versions – KRNL32NUC – 7.22,7.22EXT, KRNL32UC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83
High 7.5
3058382 [CVE-2021-33662Information Disclosure in SAP Business One
Product – SAP Business One, Version – 10.0
Medium 6.7
3030961 [CVE-2021-27615Cross-Site Scripting (XSS) vulnerability in SAP Manufacturing Execution
Product – SAP Manufacturing Execution, Versions – 15.1, 1.5.2, 15.3, 15.4
Medium 6.4
3002517 [CVE-2021-21473Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Product – SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), Versions – 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755
Medium 6.3
3004043 [CVE-2021-21490Cross-Site Scripting (XSS) vulnerability in SAP Netweaver AS for ABAP (Web Survey)
Product – SAP NetWeaver AS for ABAP (Web Survey), Versions – 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F
Medium 6.1
3021050 [Multiple CVEs] Memory Corruption vulnerability in SAP IGS
CVEs – CVE-2021-27620CVE-2021-27622CVE-2021-27623CVE-2021-27624CVE-2021-27625CVE-2021-27626CVE-2021-27627
Product – SAP NetWeaver AS (Internet Graphics Server – Portwatcher), Versions – 7.20,7.20EXT,7.53,7.20_EX2,7.81
Medium 5.9
3049879 [CVE-2021-27637Information Disclosure in SAP Enable Now (SAP Workforce Performance Builder – Manager)
Product – SAP Enable Now (SAP Workforce Performance Builder – Manager), Versions – 10.0, 1.0
Medium 5.9
3030604 [CVE-2021-33663Plaintext command injection in SAP NetWeaver AS ABAP
Product – SAP NetWeaver AS ABAP, Versions – KRNL32NUC – 7.22,7.22EXT, KRNL32UC – 7.22,7.22EXT, KRNL64NUC – 7.22,7.22EXT,7.49, KRNL64UC – 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL – 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84
Medium 5.8
3023299 [CVE-2021-27621Information Disclosure in SAP NetWeaver AS JAVA (UserAdmin Application)
Product – SAP NetWeaver AS for Java (UserAdmin), Versions – 7.11,7.20,7.30,7.31,7.40,7.50
Medium 5.5
3025604 [CVE-2021-33664Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on Web Dynpro ABAP)
Product – SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), Versions – SAP_UI – 750,752,753,754,755, SAP_BASIS – 702, 31
Medium 5.4
3028370 [CVE-2021-33665Cross-Site Scripting (XSS) vulnerability within SAP NetWeaver AS ABAP (Applications based on SAP GUI for HTML)
Product – SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), Versions – KRNL64NUC – 7.49, KRNL64UC – 7.49,7.53, KERNEL – 7.49,7.53,7.77,7.81,7.84
Medium 5.4
2985562 [CVE-2021-33666MIME Sniffing Vulnerability in SAP Commerce Cloud
Product – SAP Commerce Cloud, Version – 100
Medium 4.7
3059999 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
CVEs – CVE-2021-27638CVE-2021-27639CVE-2021-27640CVE-2021-33659CVE-2021-27642CVE-2021-33661CVE-2021-27641CVE-2021-27643CVE-2021-33660
Product – SAP 3D Visual Enterprise Viewer, Version – 9
Medium 4.3
3025054 Update to Security Note Released on April 2021 Patch Day:
[CVE-2021-27605Missing Authorization check in HCM Travel Management Fiori Apps V2
Product – SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version – 608
Medium 4.3