CVE-2021-21466: SAP Security Patch Day – January 2021 - Product Security Response at SAP

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 12th of January 2021, SAP Security Patch Day saw the release of 10 Security Notes. There were 7 updates to previously released Patch Day Security Notes.

List of security notes released on January Patch Day:

Note#

Title

Priority

CVSS

2622660

Update to security note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5

Hot News

10

2986980

[CVE-2021-21465] Multiple vulnerabilities in SAP Business Warehouse (Database Interface)
Additional CVE - CVE-2021-21468
Product - SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782

Hot News

9.9

2999854

[CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782
Product - SAP BW4HANA, Versions - 100, 200

Hot News

9.9

2983367

Update to security note released on December 2020 Patch Day:
[CVE-2020-26838] Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782
Product - SAP BW4HANA, Versions - 100, 200

Hot News

9.1

2979062

Update to security note released on November 2020 Patch Day:
[CVE-2020-26820] **Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server)
**Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50

Hot News

9.1

3000306

[CVE-2021-21446] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP, Versions - 740, 750, 751, 752, 753, 754, 755

High

7.5

2863397

Update to security note released on January 2020 Patch Day:
[CVE-2020-6307] **Missing Authorization Check in Automated Note Search Tool (SAP_BASIS)
**Product - Automated Note Search Tool (SAP Basis), Versions - 7.0, 7.01,7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54

Medium

6.5

2826528

Update to security note released on April 2020 Patch Day:
[CVE-2020-6224] **Information Disclosure in SAP NetWeaver Application Server Java (HTTP Service)
**Product - SAP NetWeaver AS Java (HTTP Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

Medium

6.2

2984034

[CVE-2021-21445] Header Manipulation vulnerability in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - 1808, 1811, 1905, 2005, 2011

Medium

5.4

2965154

[CVE-2021-21447] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Product - SAP BusinessObjects Business Intelligence platform (Web Intelligence HTML interface), Versions - 410, 420

Medium

5.4

2912747

Update to security note released on May 2020 Patch Day:
[CVE-2020-6256] **Missing Authorization check in SAP Master Data Governance
**Product - SAP Master Data Governance, Versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804

Medium

5.4

2971163

Update to security note released on December 2020 Patch Day:
[CVE-2020-26816] Missing Encryption in SAP NetWeaver AS Java (Key Storage Service)
Product - SAP NetWeaver AS JAVA (Key Storage Service), Versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50

Medium

5.4

2992269

[CVE-2021-21448] Information Disclosure in SAP GUI for Windows
Product - SAP GUI FOR WINDOWS, Version - 7.60

Medium

5.3

2993032

[CVE-2021-21469] Information Disclosure in SAP NetWeaver Master Data Management
Product - SAP NetWeaver Master Data Management, Versions - 7.10, 7.10.750, 710

Medium

5.3

3002617

[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
CVEs - CVE-2021-21449, CVE-2021-21457, CVE-2021-21458, CVE-2021-21459, CVE-2021-21450, CVE-2021-21451, CVE-2021-21452, CVE-2021-21453, CVE-2021-21454, CVE-2021-21455, CVE-2021-21456, CVE-2021-21460, CVE-2021-21461, CVE-2021-21462, CVE-2021-21463, CVE-2021-21464
Product - SAP 3D Visual Enterprise Viewer, Version - 9.0

Medium

4.3

3008422

[CVE-2021-21467] Missing Authorization check in SAP Banking Services (Generic Market Data)
Product - SAP Banking Services (Generic Market Data), Versions - 400, 450, 500

Medium

4.3

3000291

[CVE-2021-21470] XML External Entity vulnerability in SAP EPM add-in
Product - SAP EPM ADD-IN, Versions - 2.8, 1010

Low

3.6

, ________________________________________________________________________________

Vulnerability Type Distribution - January 2021

#Multiple vulnerabilities on same product can be fixed by one security note.

Security Notes vs Priority Distribution (August 2020 – January 2021)**

* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.

Customers who would like to take a look at all Security Notes published or updated after December 08, 2020, go to Launchpad Expert Search → Filter ‘SAP Security Notes’ released between ‘December 10, 2020 - January 12, 2021’ → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.

Do write to us at [email protected] with all your comments and feedback on this blog post.

SAP Product Security Response Team