Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-33670: SAP Security Patch Day – July 2021 - Product Security Response at SAP

SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.

CVE
#xss#vulnerability#web#google#dos#git#java#intel#auth#chrome#sap

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 13th of July 2021, SAP Security Patch Day saw the release of 12 Security Notes. There were 3 updates to previously released Patch Day Security Notes.

List of security notes released on July Patch Day:

Note#

Title

Priority

CVSS

2622660

Update to Security Note released on August 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business ClientProduct - SAP Business Client, Version - 6.5

Hot News

10

3007182

Update to Security Note released on June 2021 Patch Day:[CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700,701,702,731,740,750,751,752,753,754,755,804

Hot News

9

3059446

[CVE-2021-33671] Missing Authorization check in SAP NetWeaver Guided Procedures
Product - SAP NetWeaver Guided Procedures (Administration Workset), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50

High

7.6

3056652

[CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)
Product - SAP NetWeaver AS for Java (Http Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

High

7.5

3066316

[CVE-2021-33676] Missing authorization check in SAP CRM ABAP
Product - SAP CRM, Versions - 700, 701, 702, 712, 713, 714

Medium

6.8

3036436

Update to Security Note released on April 2021 Patch Day:[CVE-2021-27604] Potential XXE Vulnerability in SAP Process Integration (ESR Java Mappings)
Product - SAP Process Integration (Enterprise Service Repository JAVA Mappings), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50

Medium

6.5

3044754

[CVE-2021-33677] Information Disclosure in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 702, 730, 731, 804, 740, 750, 784, DEV

Medium

6.5

3048657

[CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework)
Product - SAP NetWeaver AS ABAP (Reconciliation Framework), Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F

Medium

6.5

3053403

[CVE-2021-33682] Cross-Site Scripting (XSS) vulnerability in SAP Lumira Server
Product - SAP Lumira Server, Version - 2.4

Medium

5.4

3000663

[CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager
Product - SAP Web Dispatcher and Internet Communication Manager, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83

Medium

5.4

3032624

[CVE-2021-33684] Memory Corruption in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84

Medium

5.3

3059764

[CVE-2021-33687] Information Disclosure in SAP NetWeaver AS for Java (Enterprise Portal)
Product - SAP NetWeaver AS JAVA (Enterprise Portal), Versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50

Medium

4.5

3044751

[CVE-2021-33667] Information Disclosure in SAP Business Objects Web Intelligence (BI Launchpad)
Product - SAP Business Objects Web Intelligence (BI Launchpad), Versions - 420, 430

Medium

4.3

3067890

[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
CVEs - CVE-2021-33681, CVE-2021-33680
Product - SAP 3D Visual Enterprise Viewer, Version - 9.0

Medium

4.3

3038594

[CVE-2021-33689] Insufficient Logging in SAP NetWeaver AS for JAVA (Administrator)
Product - SAP NetWeaver AS JAVA (Administrator applications), Version - 7.50

Low

3.5

, ________________________________________________________________________________

Vulnerability Type Distribution - July 2021

#Multiple vulnerabilities on same product can be fixed by one security note.

Security Notes vs Priority Distribution (February – July 2021)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after June 8, 2021, go to Launchpad Expert Search → Filter ‘SAP Security Notes’ released between ‘June 9, 2021 - July 13, 2021’ → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at [email protected] with all your comments and feedback on this blog post.

SAP Product Security Response Team

Related news

Researchers Detail 4 SAP Bugs, Including Flaw in ABAP Kernel

Patches are available for three bugs, but with technical details and PoCs now available, threat actors can craft targeted attacks.

SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization

The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected.

CVE-2021-33678

A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.

CVE-2021-33683

SAP Web Dispatcher and Internet Communication Manager (ICM), versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, process invalid HTTP header. The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. An attacker could exploit this vulnerability to bypass web application firewall protection, divert sensitive data such as customer requests, session credentials, etc.

CVE-2021-27610

SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907