====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN307
_____________________________________________________________________

DATE                : 08/06/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP Commerce,
                     SAP NetWeaver AS ABAP and ABAP Platform,
                     SAP NetWeaver AS for JAVA,
                     SAP NetWeaver AS for ABAP,
                     SAP Business One,
                     SAP Manufacturing Execution,
                     SAP Enable Now,
                     SAP Commerce Cloud,
                     SAP 3D Visual Enterprise Viewer,
                   SAP Fiori Apps 2.0 for Travel Management in SAP ERP.

=====================================================================
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999
_____________________________________________________________________

 SAP Security Patch Day – June 2021


    Created by Risham Guram about 13 hours ago

Go to start of metadata

This post by SAP Product Security Response Team shares information on
Patch Day Security Notes* that are released on second Tuesday of every
month and fix vulnerabilities discovered in SAP products. SAP strongly
recommends that the customer visits the Support Portal and applies
patches on a priority to protect their SAP landscape.

On 8th of June 2021, SAP Security Patch Day saw the release of 17
Security Notes. There were 2 updates to previously released Patch Day
Security Notes.


List of security notes released on June Patch Day:

Note#	Title	Priority	CVSS

3040210	Update to Security Note Released on April 2021 Patch Day:
[CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of
SAP Commerce
Product- SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011
	Hot News	9.9

3007182	[CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP
Server and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions -
700,701,702,731,740,750,751,752,753,754,755,804     Hot News	9

3053066	[CVE-2021-27635] Missing XML Validation in SAP NetWeaver AS for
JAVA
Product - SAP NetWeaver AS for JAVA, Versions - 7.20, 7.30, 7.31,
7.40, 7.50	High	8.7

3020209	[Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver
ABAP Server and ABAP Platform
CVEs - CVE-2021-27606, CVE-2021-27629, CVE-2021-27630, CVE-2021-27631,
CVE-2021-27632
Product - SAP NetWeaver AS for ABAP (RFC Gateway), Versions - KRNL32NUC
- 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC -
8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL -
7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83	High	7.5

3020104	[Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver
ABAP Server and ABAP Platform
CVEs - CVE-2021-27597, CVE-2021-27633, CVE-2021-27634
Product - SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server),
Versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49,
KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL -
7.22,8.04,7.49,7.53,7.73	High	7.5

3021197	[Multiple CVEs] Memory Corruption vulnerability in SAP NetWeaver
ABAP Server and ABAP Platform
CVEs - CVE-2021-27607, CVE-2021-27628
Product - SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher),
Versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC
- 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73,
KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83	High	7.5

3058382	[CVE-2021-33662] Information Disclosure in SAP Business One
Product - SAP Business One, Version - 10.0	Medium	6.7

3030961	[CVE-2021-27615] Cross-Site Scripting (XSS) vulnerability in SAP
Manufacturing Execution
Product - SAP Manufacturing Execution, Versions - 15.1, 1.5.2, 15.3,
15.4	Medium	6.4

3002517	[CVE-2021-21473] Missing Authorization check in SAP NetWeaver AS
ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform
(SRM_RFC_SUBMIT_REPORT), Versions - 700, 702, 710, 711, 730, 731, 740,
750, 751, 752, 753, 754, 755  	Medium	6.3

3004043	[CVE-2021-21490] Cross-Site Scripting (XSS) vulnerability in SAP
Netweaver AS for ABAP (Web Survey)
Product - SAP NetWeaver AS for ABAP (Web Survey), Versions - 700, 702,
710, 711, 730, 731, 750, 750, 752, 75A, 75F	Medium	6.1

3021050	[Multiple CVEs] Memory Corruption vulnerability in SAP IGS
CVEs - CVE-2021-27620, CVE-2021-27622, CVE-2021-27623, CVE-2021-27624,
CVE-2021-27625, CVE-2021-27626, CVE-2021-27627
Product - SAP NetWeaver AS (Internet Graphics Server – Portwatcher),
Versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81	Medium	5.9

3049879	[CVE-2021-27637] Information Disclosure in SAP Enable Now (SAP
Workforce Performance Builder - Manager)
Product - SAP Enable Now (SAP Workforce Performance Builder - Manager),
Versions - 10.0, 1.0	Medium	5.9

3030604	[CVE-2021-33663] Plaintext command injection in SAP NetWeaver AS
ABAP
Product - SAP NetWeaver AS ABAP, Versions - KRNL32NUC - 7.22,7.22EXT,
KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC -
8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL -
7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84	Medium	5.8

3023299	[CVE-2021-27621] Information Disclosure in SAP NetWeaver AS JAVA
(UserAdmin Application)
Product - SAP NetWeaver AS for Java (UserAdmin), Versions -
7.11,7.20,7.30,7.31,7.40,7.50	Medium	5.5

3025604	[CVE-2021-33664] Cross-Site Scripting (XSS) vulnerability within
SAP NetWeaver AS ABAP (Applications based on Web Dynpro ABAP)
Product - SAP NetWeaver Application Server ABAP (Applications based on
Web Dynpro ABAP), Versions - SAP_UI – 750,752,753,754,755, SAP_BASIS –
702, 31	Medium	5.4

3028370	[CVE-2021-33665] Cross-Site Scripting (XSS) vulnerability within
SAP NetWeaver AS ABAP (Applications based on SAP GUI for HTML)
Product - SAP NetWeaver Application Server ABAP (Applications based on
SAP GUI for HTML), Versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53,
KERNEL - 7.49,7.53,7.77,7.81,7.84	Medium	5.4

2985562	[CVE-2021-33666] MIME Sniffing Vulnerability in SAP Commerce Cloud
Product - SAP Commerce Cloud, Version - 100	Medium	4.7

3059999	[Multiple CVEs] Improper Input Validation in SAP 3D Visual
Enterprise Viewer
CVEs - CVE-2021-27638, CVE-2021-27639, CVE-2021-27640, CVE-2021-33659,
CVE-2021-27642, CVE-2021-33661, CVE-2021-27641, CVE-2021-27643,
CVE-2021-33660
Product - SAP 3D Visual Enterprise Viewer, Version - 9	Medium	4.3

3025054	Update to Security Note Released on April 2021 Patch Day:
[CVE-2021-27605] Missing Authorization check in HCM Travel Management
Fiori Apps V2
Product - SAP Fiori Apps 2.0 for Travel Management in SAP ERP, Version
- 608	Medium	4.3




Customers who would like to take a look at all Security Notes published
or updated after May 11, 2021, go to Launchpad Expert Search → Filter
'SAP Security Notes' released between 'May 12, 2021 - June 8, 2021' →
Go.

To know more about the security researchers and research companies who
have contributed for security patches of this month, visit SAP Product
Security Response Acknowledgement Page.

Do write to us at secure@sap.com with all your comments and feedback on
this blog post.

SAP Product Security Response Team



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================