SAP Security Patch Day is scheduled every second Tuesday of every month– in sync with the Security Patch Day of other major software vendors– to continuously support SAP customers by means of security maintenance for installed SAP software. SAP Security Notes, new or updates to the previous notes, are released on this day.
On SAP Patch Days, the SAP Product Security Response Team shares SAP Security Notes, also known as software corrections, that are focused solely on security to protect against potential weaknesses or attacks. To ensure the protection of their SAP landscape, customers are highly recommended to apply the patches urgently, especially those categorised as “Hot News”.
Onapsis, SAP ERP application security solutions provider, shared in a blog highlights of this month’s SAP Patch Day released on the 9th of February 2021. SAP released 7 new Security Notes and 6 updates to previously released Patch Day Security Notes. Of the 13 security notes, 3 corrections are tagged under Hot News, including one that fixes a serious Code Injection vulnerability in SAP Commerce; and 2 listed as high priorities.
SAP Security Notes: Hot News
SAP Security Note #3014121, the most critical with a CVSS score of 9.9, focuses on remote code execution vulnerability in SAP Commerce. The patch resolves the vulnerability in SAP Commerce installations that have the rule engine extension installed. Though the patch addresses the majority of these installations, it only fixes the default permissions when initializing a new installation of SAP Commerce and additional manual remediation steps are required for existing installations.
This critical SAP Commerce vulnerability, which is a misconfiguration in default user permissions, can lead to a complete compromise of the system including the application’s confidentiality, integrity and availability.
SAP Security Note #2986980, already updated twice since its initial release on January Patch Day, was tagged with a CVSS score of 9.9. The patch resolves multiple vulnerabilities found in SQL Injection and Missing Authorization in the database interface of SAP Business Warehouse.
SAP Security Note #2986980, an update to security note released on April 2018 Patch Day, provides security updates for the browser control Google Chromium delivered with SAP Business Client. The newest SAP Business Client patch includes Chromium version 87.0.4280.66, which fixes 11 High Priority security issues, of which there are 33 in total.
High Priorities
SAP Security Note #3000306, tagged with a CVSS score of 7.5, is an update to the security note released on January 2021 Patch Day. The patch resolves Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform.
SAP Security Note # 2993132, tagged with a CVSS score of 7.6, is an update to the security note released on December 2020 Patch Day. The patch resolves missing authorization check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation).
The February Security Patch Day also released 5 notes to resolve a Reverse Tabnabbing vulnerability (each of them patching one Web UI technology/ framework). Though the top scorer vulnerability, Reverse Tabnabbing can be easily resolved and can be found in most of the world’s largest web applications. Security patches related to reverse tabnabbing include SAP Security Note #3014303 for Reverse Tabnabbing vulnerability in SAPUI5 and SAP Security Note #2974582 for Reverse Tabnabbing vulnerability within SAP Web Dynpro ABAP Applications.