German software maker SAP this week announced the release of 17 new and two updated security notes on the September 2021 Security Patch Day. Seven of these deal with critical vulnerabilities in SAP products.
The most important of the newly released security notes patches a missing authorization check in SAP NetWeaver Application Server for Java. Tracked as CVE-2021-37535, the vulnerability has a CVSS score of 10.
Two other critical vulnerabilities (CVSS score of 9.9) were addressed with Hot News security notes for NetWeaver. These include CVE-2021-38163, an unrestricted file upload bug in Visual Composer 7.0 RT, and CVE-2021-37531, a code injection issue in Knowledge Management.
Both vulnerabilities require for an attacker to have minimum privileges on the affected system for exploitation, which prevents the bugs from having a maximum CVSS score.
One other critical vulnerability (CVE-2021-38176, CVSS score of 9.9) is an SQL injection patched in the Near Zero Downtime (NZDT) Mapping Table Framework, but affects multiple products, including SAP HANA, LT Replication Server, Test Data Migration Server, Landscape Transformation, and LTRS for S/4HANA.
The issue is an improper input sanitization in 25 RFC-enabled function modules that could allow an “authenticated user with certain specific privileges to remotely call these function modules and execute manipulated queries to gain access to the backend database,” SAP application security firm Onapsis explains.
The fifth Hot News security note that SAP released this week addresses critical code injection and reflected cross-site scripting (XSS) vulnerabilities in SAP Contact Center. Tracked as CVE-2021-33672, CVE-2021-33673, CVE-2021-33674, and CVE-2021-33675, the bugs carry a CVSS score of 9.6.
SAP also released two updated security notes this week, both Hot News, carrying a CVSS score of 10. The first delivers an update for the Chromium browser in Business Client, while the other deals with an unrestricted file upload bug in Business One (which was initially addressed in August).
Two High priority security notes were released on SAP’s September 2021 Patch Day, addressing an HTTP request smuggling issue in Web Dispatcher (CVE-2021-38162) and a null pointer dereference flaw in CommonCryptoLib (CVE-2021-38177).
SAP also released two Medium priority security notes on this month’s Patch Day, dealing with various issues in Analysis for Microsoft Office, Business Client, Business One, BusinessObjects, ERP Financial Accounting, NetWeaver, and 3D Visual Enterprise Viewer.
Related: SAP Customer Survey Reveals False Sense of Security
More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
