German software maker SAP this week announced the release of 17 new and two updated security notes on the September 2021 Security Patch Day. Seven of these deal with critical vulnerabilities in SAP products.
The most important of the newly released security notes patches a missing authorization check in SAP NetWeaver Application Server for Java. Tracked as CVE-2021-37535, the vulnerability has a CVSS score of 10.
Two other critical vulnerabilities (CVSS score of 9.9) were addressed with Hot News security notes for NetWeaver. These include CVE-2021-38163, an unrestricted file upload bug in Visual Composer 7.0 RT, and CVE-2021-37531, a code injection issue in Knowledge Management.
Both vulnerabilities require for an attacker to have minimum privileges on the affected system for exploitation, which prevents the bugs from having a maximum CVSS score.
One other critical vulnerability (CVE-2021-38176, CVSS score of 9.9) is an SQL injection patched in the Near Zero Downtime (NZDT) Mapping Table Framework, but affects multiple products, including SAP HANA, LT Replication Server, Test Data Migration Server, Landscape Transformation, and LTRS for S/4HANA.
The issue is an improper input sanitization in 25 RFC-enabled function modules that could allow an “authenticated user with certain specific privileges to remotely call these function modules and execute manipulated queries to gain access to the backend database,” SAP application security firm Onapsis explains.
The fifth Hot News security note that SAP released this week addresses critical code injection and reflected cross-site scripting (XSS) vulnerabilities in SAP Contact Center. Tracked as CVE-2021-33672, CVE-2021-33673, CVE-2021-33674, and CVE-2021-33675, the bugs carry a CVSS score of 9.6.
SAP also released two updated security notes this week, both Hot News, carrying a CVSS score of 10. The first delivers an update for the Chromium browser in Business Client, while the other deals with an unrestricted file upload bug in Business One (which was initially addressed in August).
Two High priority security notes were released on SAP’s September 2021 Patch Day, addressing an HTTP request smuggling issue in Web Dispatcher (CVE-2021-38162) and a null pointer dereference flaw in CommonCryptoLib (CVE-2021-38177).
SAP also released two Medium priority security notes on this month’s Patch Day, dealing with various issues in Analysis for Microsoft Office, Business Client, Business One, BusinessObjects, ERP Financial Accounting, NetWeaver, and 3D Visual Enterprise Viewer.