SAP on Tuesday announced the release of five new and two updated security notes as part of its November 2021 Security Patch Day, including one note that deals with a critical vulnerability in ABAP Platform Kernel.
Rated Hot News, which is SAP’s highest severity rating, the most severe of the new security notes addresses CVE-2021-40501 (CVSS score of 9.6), a missing authorization check vulnerability in ABAP Platform Kernel.
An authenticated business user could exploit the security hole to escalate their privileges on a vulnerable system, which would enable them to read and modify otherwise restricted data.
“The vulnerability affects trusted connections to other systems via RFC and HTTP communication, allowing the user to execute application-specific logic in other systems,” enterprise app security firm Onapsis explains.
SAP also addressed a high-severity missing authorization check in SAP Commerce, which too could allow an authenticated user to escalate privileges. Tracked as CVE-2021-40502 (CVSS score of 8.3), the bug affects all installations that use Commerce Organization.
SAP also released an updated high-priority security note addressing hardcoded credentials in CA Introscope Enterprise Manager, which was initially patched in 2020.
While these are the only two high-priority notes SAP has included in its advisory, Onapsis mentions a third such note (CVSS score of 7.9), which deals with known denial of service (DoS) vulnerabilities in open source dependencies used by Forecasting and Replenishment for Retail (FRP or F&R).
The note was released after the second Tuesday of October but before the second Tuesday of this month, the same as three other medium-priority notes.
SAP included four medium-priority security notes in this month’s advisory, one of which is an update for a September 2021 note. The notes address an information disclosure in GUI for Windows, missing authorization checks in ERP HCM and ERP Financial Accounting, and a leverage of permission in NetWeaver Application Server for ABAP and ABAP Platform.
Related: SAP Patches Critical Vulnerabilities in Environmental Compliance
Related: SAP Patches Critical Vulnerabilities With September 2021 Security Updates
Related: Nine Critical and High-Severity Vulnerabilities Patched in SAP Products