==================================================================== CERT-Renater Note d'Information No. 2021/VULN148 _____________________________________________________________________ DATE : 10/03/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running SAP Solution Manager, SAP Business Client, SAP Manufacturing Integration and Intelligence, SAP NetWeaver AS JAVA, SAP HANA, SAP Enterprise Financial Services, SAP NetWeaver Knowledge Management, SAP NetWeaver Application Server Java, SAP BusinessObjects Business Intelligence Platform, SAP 3D Visual Enterprise Viewer, SAP ERP, SAP S/4 HANA. ===================================================================== https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107 _____________________________________________________________________ SAP Security Patch Day – March 2021 Created by Risham Guram This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape. On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes. List of security notes released on March Patch Day: Note# Title Priority CVSS 2890213 Update to security note released on March 2020 Patch Day: [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring) Product - SAP Solution Manager (User Experience Monitoring), Version - 7.2 Hot News 10 2622660 Update to security note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client, Version - 6.5 Hot News 10 3022622 [CVE-2021-21480] Code Injection Vulnerability in SAP MII Product - SAP Manufacturing Integration and Intelligence, Versions - 15.1, 15.2, 15.3, 15.4 Hot News 9.9 3022422 [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) Product - SAP NetWeaver AS JAVA (MigrationService), Versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50 Hot News 9.6 3017378 [CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios Product - SAP HANA, Version - 2.0 High 7.7 3007888 [CVE-2021-21486] Missing Authorization check in SAP Enterprise Financial Services( Bank Customer Accounts) Product - SAP Enterprise Financial Services (Bank Customer Accounts), Versions - 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800 Medium 6.8 2983436 [CVE-2021-21488] Insecure Deserialisation in SAP NetWeaver Knowledge Management Product - SAP NetWeaver Knowledge Management, Versions - 7.01, 7.02, 7.30,7.31, 7.40, 7.50 Medium 6.8 3023778 [CVE-2021-21487] Missing Authorization Check in Payment Engine Product - SAP Payment Engine, Version - 500 Medium 6.8 2943844 Update to security note released on October 2020 Patch Day: [CVE-2020-6308] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Services) Product - SAP BusinessObjects Business Intelligence Platform (Web Services), Versions - 410, 420, 430 Medium 5.3 2976947 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java) Product - SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40, 7.50 Medium 4.7 3027767 [CVE-2021-27592] Improper Input Validation in SAP 3D Visual Enterprise Viewer Product - SAP 3D Visual Enterprise Viewer, Version - 9 Medium 4.3 3027758 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer Related CVEs - CVE-2021-27585, CVE-2021-27586, CVE-2021-27587, CVE-2021-21493, CVE-2021-27588, CVE-2021-27591, CVE-2021-27584, CVE-2021-27589, CVE-2021-27590 Product - SAP 3D Visual Enterprise Viewer, Version - 9 Medium 4.3 2944188 Update to security note released on November 2020 Patch Day: [CVE-2020-6316] Missing Authorization Check in SAP ERP and SAP S/4 HANA Product - SAP ERP, Versions - 600, 602, 603, 604, 605, 606, 616, 617, 618 Product - SAP S/4 HANA, Versions - 100, 101, 102, 103, 104 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================