SAP July 2021 Security Patch Day addresses Critical vulnerabilities

SAP July 2021 Security Patch Day addresses Critical vulnerabilities

Software giant SAP has released July 2021 Security Patch Day that includes 15 separate security advisories and patches.

The SAP updates include 2 ‘Hot News Notes’ and are updates to previously released Patch Day Security Notes.

The first of the Hot News Notes is an update for the browser control Google Chromium delivered with SAP Business Client. This is an update to a Security Note released on August 2018 Patch Day. This vulnerability is rated Critical and has a CVSS score of 10.

The second of the Hot News Notes includes a new security update for an Improper Authentication vulnerability CVE-2021-27610 in the SAP NetWeaver AS ABAP and ABAP Platform. This is a new security update to a patch that was previously released on June 2021 Patch Day and has a CVSS score of 9.

According to Onapsis, an ABAP server could not always correctly identify whether RFC or HTTP communications between the app servers were from the same SAP server or from other systems.

“This enabled a malicious user to abuse stolen credentials from an internal communication between two servers of the same system for external RFC or HTTP calls. The credential data could be used to establish an own connection between a malicious external program and the affected SAP system pretending to be an internal caller,” Thomas Fritsch of Onapsis wrote in a blog post.

SAP also fixed two High severity vulnerabilities:

  • CVE-2021-33671: Missing Authorization check in SAP NetWeaver Guided Procedures.
  • CVE-2021-33670: Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service).

Moreover, SAP also addressed multiple other Medium or Low severity vulnerabilities.

Previous SAP cyberattacks

Readers may recall recent warnings by Onapsis of cyberattacks against vulnerable SAP systems earlier this year.

One of those exploited vulnerabilities dubbed RECON (CVE-2020-6287) was previously patched in July 2020 and affected SAP NetWeaver AS for Java component, which missed an authentication check. As a result, hackers could create administrative users and change configurations on affected SAP systems.

Related Articles