SAP Security Notes Summary – December 2021
Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
SAP Components | Number | Title | CVSS Score | Released On |
---|---|---|---|---|
XX-SER-SN | 3131047 | [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component | 10 | 31.12.2021 |
IOT-EDG-OD | 3132515 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services Cloud Edition | 10 | 30.12.2021 |
XX-PART-ADB-IFM | 3131691 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) | 5,5 | 30.12.2021 |
BC-XI-CON-JWS | 3133005 | [CVE-2021-45105] Denial of service (DOS) associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration | 6,5 | 28.12.2021 |
BC-XS-ADM | 3131397 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit | 10 | 24.12.2021 |
BC-XS-ADM | 3134531 | [CVE-2021-44228] Denial of Service vulnerability associated with Apache Log4j component used in XSA Cockpit | 7,5 | 24.12.2021 |
BC-XS-ADM | 3132822 | Update 1 to Security Note 3131397 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit | 9 | 24.12.2021 |
KM-WPB-MGR | 3132964 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Enable Now Manager | 10 | 24.12.2021 |
OPU-API-OD-DT | 3132162 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP API Management (Tenant Cloning Tool) | 10 | 24.12.2021 |
IOT-EDG-OP | 3132909 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition | 10 | 24.12.2021 |
LOD-CRM-GW-LN | 3132074 | [CVE-2021-44228] Code Injection vulnerability in Cloud for Customer Lotus Notes PlugIn | 8 | 23.12.2021 |
IS-SE-CCO | 3133772 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout | 10 | 22.12.2021 |
CA-GTF-CSC-EDO-IN-DC | 3132177 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Localization Hub, digital compliance service for India | 10 | 22.12.2021 |
BC-NEO-SVC-IOT | 3132922 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform | 10 | 21.12.2021 |
BC-CP-XF-KYMA | 3132744 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Kyma | 10 | 21.12.2021 |
BC-CP-CF-RT | 3130578 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry | 10 | 21.12.2021 |
BC-VCM-LVM | 3132198 | [CVE-2019-17571] Code Injection vulnerability in SAP Landscape Management | 9,8 | 20.12.2021 |
IS-PMED-HPH | 3131824 | [CVE-2021-44228] Log4j Vulnerability in Connected Health Platform 2.0 – Fhirserver | 8 | 20.12.2021 |
BC-XI-CON-JWS | 3132204 | [CVE-2021-45046] Denial of service (DOS) associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration | 8,5 | 20.12.2021 |
CA-VE-VEV | 3121165 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | 4,3 | 17.12.2021 |
BC-XS-RT | 3131258 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA | 10 | 16.12.2021 |
BC-XI-CON-JWS | 3130521 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration | 9,9 | 16.12.2021 |
LOD-SF-FWK | 3077635 | [CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices | 7,8 | 14.12.2021 |
GRC-ACP | 3080816 | [CVE-2021-44233] Missing Authorization check in GRC Access Control | 2,4 | 14.12.2021 |
BC-INS-TC-CNT | 3123196 | [CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP | 8,4 | 14.12.2021 |
BC-DOC-TTL | 3119365 | [CVE-2021-44231] Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools) | 9,9 | 14.12.2021 |
CEC-COM-CPS-COR | 3114134 | [CVE-2021-42064] SQL Injection vulnerability in SAP Commerce | 8,8 | 14.12.2021 |
CEC-COM-CPS-COR | 3113593 | Denial of service (DOS) in SAP Commerce | 7,5 | 14.12.2021 |
CEC-COM-CPS-WEB-CAI | 3109577 | Code Execution vulnerability in SAP Commerce, localization for China | 9,9 | 14.12.2021 |
BC-VCM-LVM | 3107332 | Missing Authorization Check in SAP Landscape Management | 6,6 | 14.12.2021 |
BI-RA-WBI-FE-HTM | 3103677 | [CVE-2021-42061] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (Web Intelligence) | 4,1 | 14.12.2021 |
KM-KW-HTA | 3102769 | [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse | 8,8 | 14.12.2021 |
CA-FLP-ABA | 3051005 | Cross-Site Scripting (XSS) Vulnerability in SAP Fiori Launchpad | 3,5 | 14.12.2021 |
FI-LOC-SAF | 3124094 | [CVE-2021-44232] Directory Traversal vulnerability in SAF-T Framework | 7,7 | 14.12.2021 |
CA-UI5-DLV | 2843016 | [CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler | 4,3 | 14.12.2021 |
BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | 14.12.2021 |
IS-ADEC-ETM | 2484231 | Missing Authorization Check in DIMP Industry Solution (Equipment and Tools Management & Bills of Services) | 4,3 | 14.12.2021 |
*The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.