On 14 September 2021, SAP released security notes to address 17 vulnerabilities, including seven that are marked HotNews (Critical). We recommend applying the latest updates as soon as possible.
- CVE-2021-37535 affects SAP NetWeaver Application Server Java (JMS Connector Service). Versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 of the product fail to perform necessary authorization checks for user privileges. CVSS score: 10.
- SAP Business Client version 6.5 received an update to a Security Note released April 2018 regarding the browser control Google Chromium delivered with the product. CVSS score: 10.
- SAP Business One version 10.0 received an update to a Security Note released August 2021 on an issue tracked as CVE-2021-33698. This vulnerability allows someone with business authorization to upload any files (including script files) without the proper file format validation. CVSS score: 9.9.
- CVE-2021-38163 affects SAP NetWeaver (Visual Composer 7.0 RT) versions 7.30, 7.31, 7.40, and 7.50. A party authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable. CVSS score: 9.9.
- CVE-2021-37531 is a Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms) versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50. It allows a non-administrative authenticated user to perform unauthorized functions that could lead to a full compromise of the system. CVSS score: 9.9.
- CVE-2021-38176 is a SQL Injection vulnerability in SAP Near Zero Downtime (NZDT) Mapping Table Framework. The following SAP products that use NZDT are affected: S/4HANA, LT Replication Server, LTRS for S/4HANA, Test Data Migration Server, and Landscape Transformation. CVSS score: 9.9.
- SAP Contact Center was affected by four vulnerabilities tracked as CVE-2021-33672, CVE-2021-33673, CVE-2021-33674, and CVE-2021-33675. All of these are assigned with a CVSS score of 9.6.
- If you are using any of the vulnerable SAP products, ensure you have the latest updates installed.