SAP on Tuesday announced the release of five new and two updated security notes as part of its November 2021 Security Patch Day, including one note that deals with a critical vulnerability in ABAP Platform Kernel.
Rated Hot News, which is SAP’s highest severity rating, the most severe of the new security notes addresses CVE-2021-40501 (CVSS score of 9.6), a missing authorization check vulnerability in ABAP Platform Kernel.
An authenticated business user could exploit the security hole to escalate their privileges on a vulnerable system, which would enable them to read and modify otherwise restricted data.
“The vulnerability affects trusted connections to other systems via RFC and HTTP communication, allowing the user to execute application-specific logic in other systems,” enterprise app security firm Onapsis explains.
SAP also addressed a high-severity missing authorization check in SAP Commerce, which too could allow an authenticated user to escalate privileges. Tracked as CVE-2021-40502 (CVSS score of 8.3), the bug affects all installations that use Commerce Organization.
SAP also released an updated high-priority security note addressing hardcoded credentials in CA Introscope Enterprise Manager, which was initially patched in 2020.
While these are the only two high-priority notes SAP has included in its advisory, Onapsis mentions a third such note (CVSS score of 7.9), which deals with known denial of service (DoS) vulnerabilities in open source dependencies used by Forecasting and Replenishment for Retail (FRP or F&R).
The note was released after the second Tuesday of October but before the second Tuesday of this month, the same as three other medium-priority notes.
SAP included four medium-priority security notes in this month’s advisory, one of which is an update for a September 2021 note. The notes address an information disclosure in GUI for Windows, missing authorization checks in ERP HCM and ERP Financial Accounting, and a leverage of permission in NetWeaver Application Server for ABAP and ABAP Platform.
Related: SAP Patches Critical Vulnerabilities in Environmental Compliance
Related: SAP Patches Critical Vulnerabilities With September 2021 Security Updates
Related: Nine Critical and High-Severity Vulnerabilities Patched in SAP Products
More from Ionut Arghire
- Google Leads $16 Million Investment in Dope.security
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- CISA, NSA Issue Guidance for IAM Administrators
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
