SAP October 2021 updates address critical vulnerabilities

On 12 October 2021, SAP released security notes to address 14 vulnerabilities, including three that are marked HotNews (Critical). We recommend applying the latest updates as soon as possible.

Details

• SAP Business Client version 6.5 received an update to a Security Note regarding the browser control Google Chromium delivered with the product. CVSS score: 10.
• SAP Environmental Compliance version 3.0 used a vulnerable version of dom4j library. It received fixes for two XML External Entity (XXE) Injection vulnerabilities tracked as CVE-2020-10683 and CVE-2021-23926.
  • Vulnerable dom4j versions allowed external Document Type Definitions (DTDs) and external entities by default, which might enable XXE attacks. However, there is documentation from OWASP showing how to enable the safe, non-default behaviour, in any application that uses dom4j. CVSS score: 9.8.

• Various versions of SAP NetWeaver AS ABAP and ABAP Platform were affected by an Improper Authorization issue tracked as CVE-2021-38178. The issue could enable a malicious user to transfer ABAP code artifacts or content, reach quality and production, and compromise the confidentiality, integrity, and availability of the system and its data. CVSS score: 9.1

Recommendations

• If you are using any of the vulnerable SAP products, ensure you have the latest updates installed.

References

• SAP Security Notes