SAP публикува обновление за подобрение на защитата за септември 2021 г. – 23.09.2021

SAP публикува подобрение на защитата чрез отстраняване на уязвимости, засягащи множество продукти:

2622660
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5
HotNews10
3078609[CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)
Product – SAP NetWeaver Application Server Java (JMS Connector Service) , Versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
HotNews10
3071984Update to Security Note released on August 2021 Patch Day:
[CVE-2021-33698Unrestricted File Upload vulnerability in SAP Business One
Product – SAP Business One, Versions – 10.0
HotNews9.9
3089831[CVE-2021-38176SQL Injection vulnerability in SAP NZDT Mapping Table Framework
Product – SAP S/4HANA, Versions – 1511, 1610, 1709, 1809, 1909, 2020, 2021
Product – SAP LT Replication Server, Versions – 2.0, 3.0 
Product – SAP LTRS for S/4HANA, Version – 1.0
Product – SAP Test Data Migration Server, Version – 4.0
Product – SAP Landscape Transformation, Version – 2.0
HotNews9.9
3084487[CVE-2021-38163Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
Product – SAP NetWeaver (Visual Composer 7.0 RT) , Versions – 7.30, 7.31, 7.40, 7.50 
HotNews9.9
3081888[CVE-2021-37531Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms)
Product – SAP NetWeaver Knowledge Management XML Forms , Versions – 7.10, 7.11, 7.30, 7.31, 7.40, 7.50 
HotNews9.9
3073891[CVE-2021-33672Multiple vulnerabilities in SAP Contact Center
Additional CVEs – CVE-2021-33673CVE-2021-33674CVE-2021-33675
Product – SAP Contact Center, Version – 700
HotNews9.6
3080567[CVE-2021-38162HTTP Request Smuggling in SAP Web Dispatcher
Product – SAP Web Dispatcher , Versions – WEBDISP – 7.49, 7.53, 7.77, 7.81, KRNL64NUC – 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL – 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 
High8.9
3051787[CVE-2021-38177Null Pointer Dereference vulnerability in SAP CommonCryptoLib
Product – SAP CommonCryptoLib , Versions – 8.5.38 or lower 
High7.5
3069032[CVE-2021-33685] Directory Traversal vulnerability in SAP Business One
Product – SAP Business One, Versions – 10.0
Medium6.5
3082500[CVE-2021-38175Information Disclosure in SAP Analysis for Microsoft Office
Product – SAP Analysis for Microsoft Office , Version – 2.8 
Medium6.5
3060621[CVE-2021-38150Information disclosure in SAP Business Client
Product – SAP Business Client , Versions – 7.0, 7.70 
Medium6.1
3055180[CVE-2021-33679Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace)
Product – SAP BusinessObjects Business Intelligence Platform (BI Workspace) , Version – 420 
Medium5.4
3068582[CVE-2021-38164Missing Authorization check in in SAP ERP Financial Accounting / RFOPENPOSTING_FR
Product – SAP ERP Financial Accounting (RFOPENPOSTING_FR) , Versions – SAP_APPL – 600, 602, 603, 604, 605, 606, 616, SAP_FIN – 617, 618, 700, 720, 730, SAPSCORE – 125, S4CORE, 100, 101, 102, 103, 104, 105 
Medium5.4
3070138[CVE-2021-33686Information Disclosure in SAP Business One
Product – SAP Business One, Version – 10.0
Medium5.3
3082219[CVE-2021-21489Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product – SAP NetWeaver Enterprise Portal, Versions – 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 
Medium4.8
3069882[CVE-2021-33688] SQL Injection vulnerability in SAP Business One
Product – SAP Business One, Version – 10.0
Medium4.3
3075546[CVE-2021-37532Directory Listing Enabled in SAP Business One
Product – SAP Business One, Version – 10.0
Medium4.3
3087791[CVE-2021-38174Improper Input Validation in SAP 3D Visual Enterprise Viewer
Product – SAP 3D Visual Enterprise Viewer, Version – 9.0
Medium4.3

Нападател може да използва някои от тези уязвимости, за да поеме контрола върху засегнатата система.

CERT България препоръчва на потребителите и администраторите да прегледат SAP Security Notes for September 2021 for more information and apply the necessary updates.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405