On its May 2021 Security Patch Day, SAP posted six new security notices, as well as updates to five others, three of which were rated as Hot News.
The first of the revised Hot News notes (CVSS score 10) concerns security updates for Chromium distributed with SAP Business Client; this Chromium update, version 90.0.4430.93, addresses 63 security holes.
The other two revised notices, each with a CVSS score of 9.9, address a remote code execution vulnerability in SAP Commerce’s Source Rules and a code injection vulnerability in Business Warehouse and BW/4HANA, respectively.
Three of the latest security notices issued on Security Patch Day are for high-severity flaws, two are for medium-severity flaws, and one is for a low-severity error.
According to Onapsis, a company that specialises in protecting Oracle and SAP software, two of the high-severity security notes fix three vulnerabilities in SAP Business One, both of which are connected to SAP’s Chef Cookbooks (designed to handle infrastructure on physical or virtual machines).
The first two bugs affect Business One for SAP HANA and could result in code injection, allowing an attacker to take complete control of the programme, while the third affects Business One on SQL Server and could result in payroll data being exposed.
The third high-severity security bulletin addresses a code injection flaw in NetWeaver AS ABAP that could allow an attacker with local SAP device access to read and overwrite data or initiate a denial of service (DoS) attack.
“Only the requirement for local access, combined with the fact that an attacker needs high privileges to execute the programme,” Onapsis states, prevents this vulnerability from receiving a CVSS score of 10.
The security notes of medium severity fix vulnerabilities in SAP Commerce and Process Integration, while the low-severity notice fixes a flaw in SAP GUI for Windows.
Updates for two medium-severity vulnerabilities in NetWeaver Application Server Java and SAP Focused RUN were also released as part of the SAP Security Patch Day in May 2021.
SAP has released three additional security updates after the second Tuesday of April 2021, in addition to the 11 security updates released on Security Patch Day.