Notas de Seguridad SAP, Septiembre 2021

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Notas Septiembre 2021

Resumen y highlights del Mes

El número total de notas/parches ha aumentado con respecto al último mes. Además de esta subida en el número de notas totales, el número de Hot News aumentan, siendo 3 las que encontrábamos el mes pasado con respecto a las 7 existentes en Septiembre. Por otro lado, cabe destacar, que disminuyen el número de notas de criticidad alta pasando de 6 a 2 en este mes. Como siempre dejaremos las notas medias y bajas sin revisar en este mes, pero daremos detalle de un total de 9 notas (todas las que tengan un CVSS de 7 o mayor).

Tenemos un total de 21 notas para todo el mes, 2 más que el pasado Agosto (19 del patch Tuesday, 17 nuevas y 2 actualizaciones, siendo 4 más que el pasado mes).

Tenemos 5 notas críticas (Hot News) nuevas, siendo el total de 7 en este mes que destacan por su alto CVVS, una de ellas la actualización recurrente para el SAP Business Client con Chromium . Además revisaremos en detalle 2 del total de 2 notas altas (aquellas de CVSS mayor o igual a 7), ambas nuevas.

  • Las dos notas más críticas del mes (con CVSS 10) son, por un lado, la actualización de “Browser Control Chromium Delivered with SAP Business Client (2622660)” y por otro lado la nueva nota de “Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)”.
  • Las siguientes en criticidad (con CVSS 9.9) son 4 notas que solucionan diferentes vulnerabilidades.
  • A partir de ahí, localizamos las 2 notas de criticidad alta (high priority) siendo la más relevante con un CVSS de 8.9 una nueva nota de “HTTP Request Smuggling in SAP Web Dispatcher”. El resto (12) son de nivel medio y bajo, y no las veremos en detalle, aunque cabe destacar que hay más de una que afecta a SAP Business One.
  • Este mes los tipos más predominantes son “Missing Authorization Check” (3/21 y 2/19 en patch day) y “Information Disclosure” (3/21 y 3/19 en patch day).


En la gráfica (post Septiembre 2021 de SAP) podemos ver la clasificación de las notas de Septiembre además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Detalle completo

El detalle completo de las notas más relevantes es el siguiente (en inglés):

  1. Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): It provides a SAP Business Client Patch with the latest tested Chromium fixes. SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. The note references 57 Chromium fixes with a maximum CVSS score of 9.6—24 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn’t provide such information about internally detected issues. CVSS v3 Base Score: 10 / 10 .
  2. Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service) (3078609): It patches a Missing Authorization Check vulnerability in the Java Message Service (JMS) Connector Service of an SAP NetWeaver AS JAVA system. The JMS Connector Service is an enterprise messaging system that provides a way for business applications to exchange data without needing to be directly connected to each other. The communication is obtained using messages. It allows different message models like Point-to-Point Messaging or Publish-Subscribe scenarios. Facing the integral role of the JMS Connector Service and the CVSS top score of the vulnerability, there should be no doubt that providing the corresponding patch is absolutely recommended. Otherwise, restricted data is at risk of being read, updated, or deleted. CVSS v3 Base Score: 10 / 10 (CVE-2021-37535).
  3. Update – Unrestricted File Upload vulnerability in SAP Business On (3071984): It contains an updated description of a possible workaround. The note fixes an Unrestricted File Upload vulnerability in SAP Business One and was initially released on SAP’s August Patch Day. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-33698).
  4. SQL Injection vulnerability in SAP NZDT Mapping Table Framework (3089831): It patches SQL Injection vulnerabilities in no less than 25(!) RFC-enabled function modules of the Near Zero Downtime (NZDT) Mapping Table framework used during system upgrades and migrations. An improper input sanitization allows an authenticated user with certain specific privileges to remotely call these function modules and execute manipulated queries to gain access to the backend database. This note provides a patch for this vulnerability which leads to a complete or partial deactivation of the affected function modules. As a workaround, customers with activated Unified Connectivity (UCON) runtime checks can also deactivate the affected function modules manually. Important: Independent of which method is used to patch the vulnerabilities, they both result in making the product SAP Test Data Migration Server unusable. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-38176).
  5. Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT) (3084487): It affects SAP Visual Composer, a tool that allows business process designers to model applications and prototypes without writing a single line of code. Due to an Unrestricted File Upload vulnerability, a non-administrative user can upload a malicious file over a network and trigger its processing which can run operating system commands with the privilege of the Java Server process. According to this note attackers could read and modify any information on the server or shut down the server, making it unavailable. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-38163).
  6. Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms) (3081888): An XSLT vulnerability allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. The vulnerability is fixed with this note, tagged with a CVSS score of 9.9, and only the fact that it requires a minimum authorization to exploit the vulnerability prevents it from being another 10.0 on SAP’s September Patch Day. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-37531).
  7. Multiple vulnerabilities in SAP Contact Center (3073891): It patches OS Command Injection and Reflected Cross-Site Scripting vulnerabilities in the chat application of SAP Contact Center. Due to missing encoding in SAP Contact Center’s Communication Desktop component, an attacker could inject a malicious script into a chat message. When the message is accepted by the chat recipients, the script gets executed in their scope. Due to the involvement of ActiveX controls in the application, the attacker can further execute operating system level commands in the chat recipients’ scope. According to SAP, this could lead to complete compromise of their confidentiality and integrity, and could also temporarily impact their availability. CVSS v3 Base Score: 9.6 / 10 (CVE-2021-33672).
  8. HTTP Request Smuggling in SAP Web Dispatcher (3080567): It patches an HTTP request smuggling vulnerability in SAP Web Dispatcher. HTTP request smuggling is a technique for interfering with the way a website processes sequences of HTTP requests that are received from one or more users. SAP users send requests to a SAP Web Dispatcher (SAP WDP) and SAP WPD forwards these requests to one or more ABAP, JAVA, or HANA back-end servers. In this situation, it is crucial that the SAP WDP and the back-end systems agree about the boundaries between requests. Otherwise, an attacker might be able to send an ambiguous request that gets interpreted differently by the SAP WDP and the back-end systems. The HTTP specification provides two different methods for specifying the length of HTTP messages. It is possible for a single message to use both methods at once. Under certain circumstances, the SAP WDP and the back-end systems do not use the same method to interpret the length of an HTTP message. Thus, an attacker could send messages that use both methods and provide different information that conflicts with each other. As a result, the back-end system is not able to clearly identify and separate each individual message. This could be leveraged by an attacker to gain control of requests issued by other users, and even obtain sensitive information by retrieving the victim’s requests and responses. CVSS v3 Base Score: 8.9 / 10 (CVE-2021-38162).
  9. Null Pointer Dereference vulnerability in SAP CommonCryptoLib (3051787): It patches a Null Pointer Dereference vulnerability in SAP CommonCryptoLib. An unauthenticated attacker could send specially-crafted malicious HTTP requests over the network, leading to a memory corruption that ends up in a Null Pointer Dereference. This causes the SAP application to crash and has a high impact on the availability of the SAP system. CVSS v3 Base Score: 7.5 / 10 (CVE-2021-38177)

Enlaces de referencia

Enlaces de referencia del CERT del INCIBE en relación a la publicación de las notas para el mes de Septiembre:

Otras referencias, en inglés de SAP y Onapsis (Septiembre):

Recursos afectados

El listado completo de los sistemas/componentes afectados es el siguiente:

  • SAP 3D Visual Enterprise Viewer, versión 9.0.
  • SAP Analysis for Microsoft Office, versión 2.8;
  • SAP Business Client, versión 6.5, 7.0 y 7.70;
  • SAP Business One, versión 10.0;
  • SAP BusinessObjects Business Intelligence Platform (BI Workspace), versión 420;
  • SAP Contact Center, versión 700;
  • SAP ERP Financial Accounting (RFOPENPOSTING_FR):
    • SAP_APPL, versión 600, 602, 603, 604, 605, 606 y 616;
    • SAP_FIN, versión 617, 618, 700, 720 y 730;
    • SAPSCORE, versión 125, S4CORE, 100, 101, 102, 103, 104 y 105;
  • SAP Landscape Transformation, versión 2.0;
  • SAP LT Replication Server, versión 2.0 y 3.0;
  • SAP LTRS for S/4HANA, versión 1.0;
  • SAP NetWeaver:
    • (Visual Composer 7.0 RT), versión 7.30, 7.31, 7.40 y 7.50;
    • Application Server Java (JMS Connector Service), versión 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
    • Enterprise Portal, versión 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
    • Knowledge Management XML Forms, versión 7.10, 7.11, 7.30, 7.31, 7.40 y 7.50;
  • SAP S/4HANA, versión 1511, 1610, 1709, 1809, 1909, 2020 y 2021;
  • SAP Test Data Migration Server, versión 4.0;
  • SAP Web Dispatcher:
    • WEBDISP, versión 7.49, 7.53, 7.77 y 7.81;
    • KRNL64NUC, versión 7.22, 7.22EXT y 7.49;
    • KRNL64UC, versión 7.22, 7.22EXT, 7.49 y 7.53;
    • KERNEL, versión 7.22, 7.49, 7.53, 7.77, 7.81 y 7.8;

¿Te ha gustado?

¡Compártelo en redes sociales!

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Rellena este campo
Rellena este campo
Por favor, introduce una dirección de correo electrónico válida.
Tienes que aprobar los términos para continuar


Calendario de entradas

Nuestros servicios