Headline
CVE-2021-21466: SAP Security Patch Day – January 2021 - Product Security Response at SAP
SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service.
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 12th of January 2021, SAP Security Patch Day saw the release of 10 Security Notes. There were 7 updates to previously released Patch Day Security Notes.
List of security notes released on January Patch Day:
Note#
Title
Priority
CVSS
2622660
Update to security note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product - SAP Business Client, Version - 6.5
Hot News
10
2986980
[CVE-2021-21465] Multiple vulnerabilities in SAP Business Warehouse (Database Interface)
Additional CVE - CVE-2021-21468
Product - SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782
Hot News
9.9
2999854
[CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782
Product - SAP BW4HANA, Versions - 100, 200
Hot News
9.9
2983367
Update to security note released on December 2020 Patch Day:
[CVE-2020-26838] Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW4HANA
Product - SAP Business Warehouse, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782
Product - SAP BW4HANA, Versions - 100, 200
Hot News
9.1
2979062
Update to security note released on November 2020 Patch Day:
[CVE-2020-26820] **Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server)
**Product - SAP NetWeaver AS JAVA, Versions - 7.20, 7.30, 7.31, 7.40, 7.50
Hot News
9.1
3000306
[CVE-2021-21446] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP, Versions - 740, 750, 751, 752, 753, 754, 755
High
7.5
2863397
Update to security note released on January 2020 Patch Day:
[CVE-2020-6307] **Missing Authorization Check in Automated Note Search Tool (SAP_BASIS)
**Product - Automated Note Search Tool (SAP Basis), Versions - 7.0, 7.01,7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54
Medium
6.5
2826528
Update to security note released on April 2020 Patch Day:
[CVE-2020-6224] **Information Disclosure in SAP NetWeaver Application Server Java (HTTP Service)
**Product - SAP NetWeaver AS Java (HTTP Service), Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Medium
6.2
2984034
[CVE-2021-21445] Header Manipulation vulnerability in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - 1808, 1811, 1905, 2005, 2011
Medium
5.4
2965154
[CVE-2021-21447] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Product - SAP BusinessObjects Business Intelligence platform (Web Intelligence HTML interface), Versions - 410, 420
Medium
5.4
2912747
Update to security note released on May 2020 Patch Day:
[CVE-2020-6256] **Missing Authorization check in SAP Master Data Governance
**Product - SAP Master Data Governance, Versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804
Medium
5.4
2971163
Update to security note released on December 2020 Patch Day:
[CVE-2020-26816] Missing Encryption in SAP NetWeaver AS Java (Key Storage Service)
Product - SAP NetWeaver AS JAVA (Key Storage Service), Versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50
Medium
5.4
2992269
[CVE-2021-21448] Information Disclosure in SAP GUI for Windows
Product - SAP GUI FOR WINDOWS, Version - 7.60
Medium
5.3
2993032
[CVE-2021-21469] Information Disclosure in SAP NetWeaver Master Data Management
Product - SAP NetWeaver Master Data Management, Versions - 7.10, 7.10.750, 710
Medium
5.3
3002617
[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
CVEs - CVE-2021-21449, CVE-2021-21457, CVE-2021-21458, CVE-2021-21459, CVE-2021-21450, CVE-2021-21451, CVE-2021-21452, CVE-2021-21453, CVE-2021-21454, CVE-2021-21455, CVE-2021-21456, CVE-2021-21460, CVE-2021-21461, CVE-2021-21462, CVE-2021-21463, CVE-2021-21464
Product - SAP 3D Visual Enterprise Viewer, Version - 9.0
Medium
4.3
3008422
[CVE-2021-21467] Missing Authorization check in SAP Banking Services (Generic Market Data)
Product - SAP Banking Services (Generic Market Data), Versions - 400, 450, 500
Medium
4.3
3000291
[CVE-2021-21470] XML External Entity vulnerability in SAP EPM add-in
Product - SAP EPM ADD-IN, Versions - 2.8, 1010
Low
3.6
, ________________________________________________________________________________
Vulnerability Type Distribution - January 2021
#Multiple vulnerabilities on same product can be fixed by one security note.
Security Notes vs Priority Distribution (August 2020 – January 2021)**
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after December 08, 2020, go to Launchpad Expert Search → Filter ‘SAP Security Notes’ released between ‘December 10, 2020 - January 12, 2021’ → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at [email protected] with all your comments and feedback on this blog post.
SAP Product Security Response Team