Software giant SAP has released November 2021 Security Patch Day that includes seven new separate security advisories and patches, two of those were updates to previously released patches.
The SAP updates include one ‘Hot News Notes’ for a Critical vulnerability:
- CVE-2021-40501: Missing Authorization check in ABAP Platform Kernel (CVSS score of 9.6).
This issue affects SAP ABAP Platform Kernel, Versions 7.77, 7.81, 7.85, and 7.86.
ABAP is a high-level programming language created by SAP for programming the SAP NetWeaver Application Server.
According to Onapsis, CVE-2021-40501 could result in an escalation of privileges for an authenticated business user.
“The vulnerability affects trusted connections to other systems via RFC and HTTP communication, allowing the user to execute application-specific logic in other systems,” Onapsis stated.
SAP also fixed two High severity vulnerabilities:
- CVE-2021-40502: Missing Authorization check in SAP Commerce.
- CVE-2020-6369: Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused (update from previous October 2021 release).
Moreover, SAP also addressed four Medium severity vulnerabilities, one of those was a re-release of a September 2021 patch.
Previous SAP cyberattacks
Readers may recall recent warnings by Onapsis of cyberattacks against vulnerable SAP systems earlier this year.
One of those exploited vulnerabilities dubbed RECON (CVE-2020-6287) was previously patched in July 2020 and affected SAP NetWeaver AS for Java component, which missed an authentication check. As a result, hackers could create administrative users and change configurations on affected SAP systems.