Software giant SAP has released August 2021 Security Patch Day that includes 14 new separate security advisories and patches.
The SAP updates include 3 ‘Hot News Notes’ for Critical vulnerabilities (with base CVSS score):
- CVE-2021-33698: Unrestricted File Upload vulnerability in SAP Business One Version 10.0 (CVSS 9.9)
- CVE-2021-33690: Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 (CVSS 9.9)
- CVE-2021-33701: SQL Injection vulnerability in SAP NZDT Row Count Reconciliation in DMIS Mobile Plug-In and SAP S/4HANA – multiple versions (CVSS 9.1).
According to Onapsis, CVE-2021-33690 could allow attackers to perform proxy attacks by sending crafted queries. If SAP NetWeaver Development Infrastructure (NWDI) runs on the internet, this vulnerability “could completely compromise sensitive data residing on the server, and impact its availability.”
SAP also fixed 5 High severity vulnerabilities:
- CVE-2021-33702: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- CVE-2021-33703: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- CVE-2021-33705: Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal
- CVE-2021-33699: Task Hijacking in SAP Fiori Client Native Mobile for Android
- CVE-2021-33700: Missing Authentication check in SAP Business One.
Moreover, SAP also addressed 7 Medium severity vulnerabilities.
Previous SAP cyberattacks
Readers may recall recent warnings by Onapsis of cyberattacks against vulnerable SAP systems earlier this year.
One of those exploited vulnerabilities dubbed RECON (CVE-2020-6287) was previously patched in July 2020 and affected SAP NetWeaver AS for Java component, which missed an authentication check. As a result, hackers could create administrative users and change configurations on affected SAP systems.
- SAP July 2021 Security Patch Day addresses Critical vulnerabilities
- SAP June 2021 Security Patch Day includes fix for Critical vulnerability in SAP NetWeaver AS ABAP and ABAP Platform
- Threat actors target vulnerable critical SAP applications
- RECON vulnerability allows hackers full access to SAP servers
- Misconfigured SAP systems vulnerable to ’10KBlaze’ cyberattacks