Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Vulnerabilities With September 2021 Security Updates

German software maker SAP this week announced the release of 17 new and two updated security notes on the September 2021 Security Patch Day. Seven of these deal with critical vulnerabilities in SAP products.

German software maker SAP this week announced the release of 17 new and two updated security notes on the September 2021 Security Patch Day. Seven of these deal with critical vulnerabilities in SAP products.

The most important of the newly released security notes patches a missing authorization check in SAP NetWeaver Application Server for Java. Tracked as CVE-2021-37535, the vulnerability has a CVSS score of 10.

Two other critical vulnerabilities (CVSS score of 9.9) were addressed with Hot News security notes for NetWeaver. These include CVE-2021-38163, an unrestricted file upload bug in Visual Composer 7.0 RT, and CVE-2021-37531, a code injection issue in Knowledge Management.

Both vulnerabilities require for an attacker to have minimum privileges on the affected system for exploitation, which prevents the bugs from having a maximum CVSS score.

One other critical vulnerability (CVE-2021-38176, CVSS score of 9.9) is an SQL injection patched in the Near Zero Downtime (NZDT) Mapping Table Framework, but affects multiple products, including SAP HANA, LT Replication Server, Test Data Migration Server, Landscape Transformation, and LTRS for S/4HANA.

The issue is an improper input sanitization in 25 RFC-enabled function modules that could allow an “authenticated user with certain specific privileges to remotely call these function modules and execute manipulated queries to gain access to the backend database,” SAP application security firm Onapsis explains.

The fifth Hot News security note that SAP released this week addresses critical code injection and reflected cross-site scripting (XSS) vulnerabilities in SAP Contact Center. Tracked as CVE-2021-33672, CVE-2021-33673, CVE-2021-33674, and CVE-2021-33675, the bugs carry a CVSS score of 9.6.

SAP also released two updated security notes this week, both Hot News, carrying a CVSS score of 10. The first delivers an update for the Chromium browser in Business Client, while the other deals with an unrestricted file upload bug in Business One (which was initially addressed in August).

Advertisement. Scroll to continue reading.

Two High priority security notes were released on SAP’s September 2021 Patch Day, addressing an HTTP request smuggling issue in Web Dispatcher (CVE-2021-38162) and a null pointer dereference flaw in CommonCryptoLib (CVE-2021-38177).

SAP also released two Medium priority security notes on this month’s Patch Day, dealing with various issues in Analysis for Microsoft Office, Business Client, Business One, BusinessObjects, ERP Financial Accounting, NetWeaver, and 3D Visual Enterprise Viewer.

Related: SAP Customer Survey Reveals False Sense of Security

Related: SAP Patches High-Risk Vulnerabilities in NetWeaver

Related: SAP Patches Critical Vulnerabilities in NetWeaver

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.