By Ionut Arghire
On Tuesday, its October 2021 Security Patch Day, SAP announced the release of 13 new security notes and an update for a previously released note. Three of the notes are rated Hot News.
The most important of SAP’s security notes (https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983) deals with two critical vulnerabilities in SAP Environmental Compliance. Tracked as CVE-2020-10683 and CVE-2021-23926 (CVSS score of 9.8), the bugs are potential XML external entity (XXE) injection issues.
While SAP hasn’t provided specific details on these security holes, XML injection bugs typically allow an attacker to interfere with the processing of XML data, leading to information disclosure or enabling the attacker to interact with backend systems, SAP application security firm Onapsis says.
SAP has also addressed a critical improper authorization in NetWeaver AS ABAP and ABAP Platform (CVE-2021-38178, CVSS score of 9.1). The flaw could be exploited to bypass quality gates and transfer ABAP code artifacts to quality and production systems.
A third Hot News security note released this week is an update to the Chromium browser in the SAP Business Client.
Only one of SAP’s newly released security notes has a severity rating of high. It addresses a denial of service (DoS) vulnerability (CVE-2021-40498, CVSS score of 7.8) in SuccessFactors Mobile Application for Android devices.
During the execution of implemented Android methods, interaction with activities from other Android applications that use these methods is possible, which could lead to potential phishing attacks, in addition to DoS.
All of the remaining 10 security notes in SAP’s new round of patches deal with medium-severity issues, including information disclosure, DoS, code injection, and cross-site scripting (XSS) bugs.
In addition to these 14 security notes, SAP released 3 other notes since last month’s Security Patch Day. All three deal with medium-severity security defects.