W dniu 12 października firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 14 nowych poprawek w tym 3 krytyczne.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
Note# | Title | Priority | CVSS |
2622660 |
Update to Security Note released on April 2018 Patch Day: |
HotNews | 10 |
3101406 |
Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance |
HotNews | 9.8 |
3097887 | [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 |
HotNews | 9.1 |
3077635 | [CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices Product – SAP SuccessFactors Mobile Application (for Android devices), Versions – <2108 |
High | 7.8 |
3074693 | [CVE-2021-40500] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Reports) Product – SAP BusinessObjects Business Intelligence Platform (Crystal Reports), Versions – 420, 430 |
Medium | 6.9 |
3074819 | [CVE-2021-38179] Information Disclosure in SAP Business One Product – SAP Business One, Version – 10.0 |
Medium | 6.7 |
3079427 | [CVE-2021-38180] CSV Injection in SAP Business One Product – SAP Business One, Version – 10.0 |
Medium | 6.5 |
3080710 | [CVE-2021-38181] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 |
Medium | 6.5 |
3100882 | [CVE-2021-40499] Code Injection vulnerability for SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint) Product – SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint), Versions – 7.70, 7.70 PI, 7.70BYD |
Medium | 6.4 |
3055347 | Cross-Site Scripting (XSS) vulnerability in SAPUI5 Related CVE – CVE-2020-11023 Product – SAPUI5, Versions – 750, 753, 754 |
Medium | 6.1 |
3084937 | [CVE-2021-38183] Cross-Site Scripting (XSS) vulnerability in cms Service of SAP NetWeaver Product – SAP NetWeaver, Versions – 700, 701, 702, 730 |
Medium | 5.4 |
3099011 | [CVE-2021-40495] Denial of Service (DOS) in SAP NetWeaver Application Server for ABAP and ABAP Platform Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 740, 750, 751, 752, 753, 754, 755 |
Medium | 5.3 |
3098917 | [CVE-2021-40497] Information Disclosure in SAP BusinessObjects Analysis (edition for OLAP) Product – SAP BusinessObjects Analysis, (edition for OLAP), Versions – 420, 430 |
Medium | 4.3 |
3087254 | [CVE-2021-40496] Improper Access Control in SAP NetWeaver AS ABAP and ABAP Platform Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785 |
Medium | 4.3 |