W dniu 12 października firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 14 nowych poprawek w tym 3 krytyczne.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note# Title Priority CVSS
2622660

Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5

HotNews 10
3101406

Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance
Related CVEs – CVE-2020-10683CVE-2021-23926
Product – SAP Environmental Compliance, Version – 3.0

HotNews 9.8
3097887 [CVE-2021-38178Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform
Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756  
HotNews 9.1
3077635 [CVE-2021-40498Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices
Product – SAP SuccessFactors Mobile Application (for Android devices), Versions – <2108 
High 7.8
3074693 [CVE-2021-40500Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Reports)
Product – SAP BusinessObjects Business Intelligence Platform (Crystal Reports), Versions – 420, 430
Medium 6.9
3074819 [CVE-2021-38179Information Disclosure in SAP Business One
Product – SAP Business One, Version – 10.0
Medium 6.7
3079427 [CVE-2021-38180CSV Injection in SAP Business One
Product – SAP Business One, Version – 10.0
Medium 6.5
3080710 [CVE-2021-38181Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform
Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 
Medium 6.5
3100882 [CVE-2021-40499Code Injection vulnerability for SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)
Product – SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint), Versions – 7.70, 7.70 PI, 7.70BYD 
Medium 6.4
3055347 Cross-Site Scripting (XSS) vulnerability in SAPUI5
Related CVE – CVE-2020-11023
Product – SAPUI5, Versions – 750, 753, 754
Medium 6.1
3084937 [CVE-2021-38183Cross-Site Scripting (XSS) vulnerability in cms Service of SAP NetWeaver
Product – SAP NetWeaver, Versions – 700, 701, 702, 730 
Medium 5.4
3099011 [CVE-2021-40495Denial of Service (DOS) in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 740, 750, 751, 752, 753, 754, 755 
Medium 5.3
3098917 [CVE-2021-40497Information Disclosure in SAP BusinessObjects Analysis (edition for OLAP)
Product – SAP BusinessObjects Analysis, (edition for OLAP), Versions – 420, 430
Medium 4.3
3087254 [CVE-2021-40496Improper Access Control in SAP NetWeaver AS ABAP and ABAP Platform
Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785 
Medium 4.3