=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN534
_____________________________________________________________________

DATE                : 13/10/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP Business Client,
                      SAP Environmental Compliance,
                    SAP NetWeaver AS ABAP and ABAP Platform,
          AP SuccessFactors Mobile Application (for Android devices)?
   SAP BusinessObjects Business Intelligence Platform (Crystal Reports),
                            SAP Business One,
SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and
                                SAPSprint),
                SAPUI5, SAP NetWeaver, SAP BusinessObjects Analysis.

=====================================================================
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983
_____________________________________________________________________


 SAP Security Patch Day – October 2021

    Created by Risham Guram on Oct 12, 2021


This post by SAP Product Security Response Team shares information on
Patch Day Security Notes* that are released on second Tuesday of every
month and fix vulnerabilities discovered in SAP products. SAP strongly
recommends that the customer visits the Support Portal and applies
patches on a priority to protect their SAP landscape.

On 12th of October 2021, SAP Security Patch Day saw the release of 13
Security Notes. There was 1 update to previously released Patch Day
Security Note.


List of security notes released on October Patch Day:

Note#	Title	Priority	CVSS

2622660	 Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with
SAP Business Client
Product – SAP Business Client, Version – 6.5
HotNews	    10

3101406	Potential XML External Entity Injection Vulnerability in SAP
Environmental Compliance
Related CVEs - CVE-2020-10683, CVE-2021-23926
Product - SAP Environmental Compliance, Version - 3.0
HotNews	     9.8

3097887	[CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP
and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701,
702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
HotNews	     9.1

3077635	[CVE-2021-40498] Denial of service (DOS) in the SAP
SuccessFactors Mobile Application for Android devices
Product - SAP SuccessFactors Mobile Application (for Android devices),
Versions - <2108
High	      7.8

3074693	[CVE-2021-40500] Missing XML Validation in SAP BusinessObjects
Business Intelligence Platform (Crystal Reports)
Product - SAP BusinessObjects Business Intelligence Platform (Crystal
Reports), Versions - 420, 430
Medium	       6.9

3074819	[CVE-2021-38179] Information Disclosure in SAP Business One
Product - SAP Business One, Version - 10.0
Medium	       6.7

3079427	[CVE-2021-38180] CSV Injection in SAP Business One
Product - SAP Business One, Version - 10.0	Medium	6.5

3080710	[CVE-2021-38181] Denial of service (DOS) in SAP NetWeaver AS
ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701,
702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
Medium	        6.5

3100882	[CVE-2021-40499] Code Injection vulnerability for SAP NetWeaver
Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)
Product - SAP NetWeaver Application Server for ABAP (SAP Cloud Print
Manager and SAPSprint), Versions - 7.70, 7.70 PI, 7.70BYD
Medium	        6.4

3055347	Cross-Site Scripting (XSS) vulnerability in SAPUI5
Related CVE - CVE-2020-11023
Product - SAPUI5, Versions - 750, 753, 754	Medium	6.1

3084937	[CVE-2021-38183] Cross-Site Scripting (XSS) vulnerability in cms
Service of SAP NetWeaver
Product - SAP NetWeaver, Versions - 700, 701, 702, 730
Medium	         5.4

3099011	[CVE-2021-40495] Denial of Service (DOS) in SAP NetWeaver
Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 740, 750,
751, 752, 753, 754, 755
Medium	         5.3

3098917	[CVE-2021-40497] Information Disclosure in SAP BusinessObjects
Analysis (edition for OLAP)
Product - SAP BusinessObjects Analysis, (edition for OLAP), Versions -
420, 430
Medium	         4.3

3087254	[CVE-2021-40496] Improper Access Control in SAP NetWeaver AS
ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701,
702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785
Medium	         4.3

,
________________________________________________________________________________

Vulnerability Type Distribution -  October 2021

#Multiple vulnerabilities on same product can be fixed by one security
note.


Security Notes vs Priority Distribution (May – October 2021)**

* Patch Day Security Notes are all notes that appear under the category
of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will
be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published
or updated after September 14, 2021, go to
Launchpad Expert Search → Filter 'SAP Security Notes' released between
'September 15, 2021 - October 12, 2021' → Go.


To know more about the security researchers and research companies who
have contributed for security patches of this month, visit SAP Product
Security Response Acknowledgement Page.


Do write to us at secure@sap.com with all your comments and feedback on
this blog post.

SAP Product Security Response Team



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================