SAP’s security patch day for September 2021 has seen the release of 17 new OSS SAP security notes and 2 updates to existing notes. No notes have been classified as low, 10 notes have been classified medium, 2 as high, and 7 as critical, based on CVSS v3.0 Rating.
5 OSS notes have been released this month for SAP Business One and 2 notes have been released for SAP Business Client. Single notes have been released for SAP Visual Composer, SAP S/4HANA, SAP Business One, SAP Contact Center, SAP Web Dispatcher, SAP CommonCryptoLib, SAP Analysis for Microsoft Office, SAP ERP Financial Accounting, SAP 3D Visual Enterprise Viewer, SAP NetWeaver Enterprise Portal, SAP BusinessObjects, SAP NetWeaver AS JAVA and SAP Knowledge Management.
Vulnerabilities: September 2021 Highlights
[CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service) (SAP Note 3078609)
SAP NetWeaver Application Server For JAVA/JMS Connector Service does not perform necessary authorization checks for user privileges. This means an authenticated user could abuse functionality restricted to a different user group or read, modify or delete data.
[CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework (SAP Note 3089831)
An authenticated user with certain privileges can call NZDT function modules to execute a query to gain access to the backend database. This could completely compromise confidentiality, integrity, and availability of the system.
[CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT) (SAP Note 3084487)
This vulnerability allows an authenticated, non-administrative user, to upload a malicious file over a network, which can be used to run operating system commands. These commands can read or modify information or even shut down the server.
[CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms) (SAP Note 3081888)
The SAP Netweaver Portal contains a vulnerability which allows a non-administrative authenticated attacker to craft a malicious stylesheet file containing a script with OS-level commands. These commands can then be executed, reading or modifying information or even shutting down the server.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
