====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN269
_____________________________________________________________________

DATE                : 11/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP Business Client, SAP Commerce,
                     SAP Business Warehouse, SAP NetWeaver AS ABAP,
                     SAP Business One, version for SAP HANA,
                     SAP Business One (Cookbooks),
                     SAP Commerce (Backoffice Search),
                SAP Process Integration (Integration Builder Framework),
                     SAP NetWeaver Application Server Java,
                     SAP Focused RUN,
                     SAP GUI for Windows.

=====================================================================
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655
_____________________________________________________________________

 SAP Security Patch Day – May 2021


    Created by Risham Guram about 13 hours ago



This post by SAP Product Security Response Team shares information on
Patch Day Security Notes* that are released on second Tuesday of every
month and fix vulnerabilities discovered in SAP products. SAP strongly
recommends that the customer visits the Support Portal and applies
patches on a priority to protect their SAP landscape.

On 11th of May 2021, SAP Security Patch Day saw the release of 6
Security Notes. There were 5 updates to previously released Patch Day
Security Notes.


List of security notes released on May Patch Day:

Note#	Title	Priority	CVSS

2622660	Update to Security Note released on August 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with
SAP Business Client
Product - SAP Business Client, Version - 6.5   	Hot News	10

3040210	Update to Security Note released on April 2021 Patch Day:
[CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of
SAP Commerce
Product - SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011 	Hot
News	9.9

2999854	Update to Security Note released on January 2021 Patch Day:
[CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 711, 730,
731, 740, 750, 782
Product - SAP BW4HANA, Versions - 100, 200	Hot News	9.9

3046610	[CVE-2021-27611] Code Injection vulnerability in SAP NetWeaver
AS ABAP
Product - SAP NetWeaver AS ABAP, Versions - 700,701,702,730,731
	High	8.2

3049661	[CVE-2021-27616] Multiple vulnerabilities in SAP Business One,
version for SAP HANA (Business-One-Hana-Chef-Cookbook)
Additional CVE - CVE-2021-27614
Product - SAP Business One, version for SAP HANA (Cookbooks), Versions -
0.1.6, 0.1.7, 0.1.19       	High	7.8

3049755	[CVE-2021-27613] Information Disclosure in SAP Business One
(Chef business-one-cookbook)
Product - SAP Business One (Cookbooks), Version - 0.1.9	High	7.8

3039818	[CVE-2021-27619] Information Disclosure in SAP Commerce
(Backoffice search)
Product - SAP Commerce (Backoffice Search), Versions - 1808, 1811, 1905,
2005, 2011	   Medium	    6.5

3012021	[Multiple CVEs] Multiple vulnerabilities in SAP Process
Integration (Integration Builder Framework)
CVEs - CVE-2021-27617, CVE-2021-27618
Product - SAP Process Integration (Integration Builder Framework),
Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50	Medium	4.9

2976947	Update to Security Note released on March 2021 Patch Day:
[CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver
Application Server Java (Applications based on Web Dynpro Java)
Product - SAP NetWeaver Application Server Java (Applications based on
Web Dynpro Java), Versions - 7.00, 7.10, 7.11, 7.20, 7.30, 731,
7.40, 7.50 	Medium	4.7

3030948	Update to Security Note released on April 2021 Patch Day:
[CVE-2021-27609] Missing Authorization check in SAP Focused RUN
Product - SAP Focused RUN, Versions - 200, 300	Medium	4.6

3023078	[CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect
users to an untrusted website
Product - SAP GUI for Windows, Versions - 7.60, 7.70	Low	3.4

________________________________________________________________________________

Vulnerability Type Distribution -  May 2021

#Multiple vulnerabilities on same product can be fixed by one security
note.


Security Notes vs Priority Distribution (December 2020 – May 2021)**

* Patch Day Security Notes are all notes that appear under the category
of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will
be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published
or updated after April 13, 2021, go to Launchpad Expert Search → Filter
'SAP Security Notes' released between 'April 14, 2021 - May 11, 2021' → Go.

To know more about the security researchers and research companies who
have contributed for security patches of this month, visit SAP Product
Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on
this blog post.



SAP Product Security Response Team

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================