Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerabilities With September 2021 Security Updates

German software maker SAP this week announced the release of 17 new and two updated security notes on the September 2021 Security Patch Day. Seven of these deal with critical vulnerabilities in SAP products.

German software maker SAP this week announced the release of 17 new and two updated security notes on the September 2021 Security Patch Day. Seven of these deal with critical vulnerabilities in SAP products.

The most important of the newly released security notes patches a missing authorization check in SAP NetWeaver Application Server for Java. Tracked as CVE-2021-37535, the vulnerability has a CVSS score of 10.

Two other critical vulnerabilities (CVSS score of 9.9) were addressed with Hot News security notes for NetWeaver. These include CVE-2021-38163, an unrestricted file upload bug in Visual Composer 7.0 RT, and CVE-2021-37531, a code injection issue in Knowledge Management.

Both vulnerabilities require for an attacker to have minimum privileges on the affected system for exploitation, which prevents the bugs from having a maximum CVSS score.

One other critical vulnerability (CVE-2021-38176, CVSS score of 9.9) is an SQL injection patched in the Near Zero Downtime (NZDT) Mapping Table Framework, but affects multiple products, including SAP HANA, LT Replication Server, Test Data Migration Server, Landscape Transformation, and LTRS for S/4HANA.

The issue is an improper input sanitization in 25 RFC-enabled function modules that could allow an “authenticated user with certain specific privileges to remotely call these function modules and execute manipulated queries to gain access to the backend database,” SAP application security firm Onapsis explains.

The fifth Hot News security note that SAP released this week addresses critical code injection and reflected cross-site scripting (XSS) vulnerabilities in SAP Contact Center. Tracked as CVE-2021-33672, CVE-2021-33673, CVE-2021-33674, and CVE-2021-33675, the bugs carry a CVSS score of 9.6.

SAP also released two updated security notes this week, both Hot News, carrying a CVSS score of 10. The first delivers an update for the Chromium browser in Business Client, while the other deals with an unrestricted file upload bug in Business One (which was initially addressed in August).

Two High priority security notes were released on SAP’s September 2021 Patch Day, addressing an HTTP request smuggling issue in Web Dispatcher (CVE-2021-38162) and a null pointer dereference flaw in CommonCryptoLib (CVE-2021-38177).

SAP also released two Medium priority security notes on this month’s Patch Day, dealing with various issues in Analysis for Microsoft Office, Business Client, Business One, BusinessObjects, ERP Financial Accounting, NetWeaver, and 3D Visual Enterprise Viewer.

Related: SAP Customer Survey Reveals False Sense of Security

Related: SAP Patches High-Risk Vulnerabilities in NetWeaver

Related: SAP Patches Critical Vulnerabilities in NetWeaver

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.