SAP Security Notes Summary – December 2021

Traditionally once a month I’ll publish review all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.

SAP ComponentsNumber Title CVSS Score Released On
XX-SER-SN3131047[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component1031.12.2021
IOT-EDG-OD3132515[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services Cloud Edition1030.12.2021
XX-PART-ADB-IFM3131691[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0)5,530.12.2021
BC-XI-CON-JWS3133005[CVE-2021-45105] Denial of service (DOS) associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration6,528.12.2021
BC-XS-ADM3131397[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit1024.12.2021
BC-XS-ADM3134531[CVE-2021-44228] Denial of Service vulnerability associated with Apache Log4j component used in XSA Cockpit7,524.12.2021
BC-XS-ADM3132822Update 1 to Security Note 3131397 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit924.12.2021
KM-WPB-MGR3132964[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Enable Now Manager1024.12.2021
OPU-API-OD-DT3132162[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP API Management (Tenant Cloning Tool)1024.12.2021
IOT-EDG-OP3132909[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition1024.12.2021
LOD-CRM-GW-LN3132074[CVE-2021-44228] Code Injection vulnerability in Cloud for Customer Lotus Notes PlugIn823.12.2021
IS-SE-CCO3133772[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout1022.12.2021
CA-GTF-CSC-EDO-IN-DC3132177[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Localization Hub, digital compliance service for India1022.12.2021
BC-NEO-SVC-IOT3132922[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform1021.12.2021
BC-CP-XF-KYMA3132744[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Kyma1021.12.2021
BC-CP-CF-RT3130578[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry1021.12.2021
BC-VCM-LVM3132198[CVE-2019-17571] Code Injection vulnerability in SAP Landscape Management9,820.12.2021
IS-PMED-HPH3131824[CVE-2021-44228] Log4j Vulnerability in Connected Health Platform 2.0 – Fhirserver820.12.2021
BC-XI-CON-JWS3132204[CVE-2021-45046] Denial of service (DOS) associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration8,520.12.2021
CA-VE-VEV3121165[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer4,317.12.2021
BC-XS-RT3131258[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA1016.12.2021
BC-XI-CON-JWS3130521[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration9,916.12.2021
LOD-SF-FWK3077635[CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices7,814.12.2021
GRC-ACP3080816[CVE-2021-44233] Missing Authorization check in GRC Access Control2,414.12.2021
BC-INS-TC-CNT3123196[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP8,414.12.2021
BC-DOC-TTL3119365[CVE-2021-44231] Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools)9,914.12.2021
CEC-COM-CPS-COR3114134[CVE-2021-42064] SQL Injection vulnerability in SAP Commerce8,814.12.2021
CEC-COM-CPS-COR3113593Denial of service (DOS) in SAP Commerce7,514.12.2021
CEC-COM-CPS-WEB-CAI3109577Code Execution vulnerability in SAP Commerce, localization for China9,914.12.2021
BC-VCM-LVM3107332Missing Authorization Check in SAP Landscape Management6,614.12.2021
BI-RA-WBI-FE-HTM3103677[CVE-2021-42061] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform  (Web Intelligence)4,114.12.2021
KM-KW-HTA3102769[CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse8,814.12.2021
CA-FLP-ABA3051005Cross-Site Scripting (XSS) Vulnerability in SAP Fiori Launchpad3,514.12.2021
FI-LOC-SAF3124094[CVE-2021-44232] Directory Traversal vulnerability in SAF-T Framework7,714.12.2021
CA-UI5-DLV2843016[CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler4,314.12.2021
BC-FES-BUS-DSK2622660Security updates for the browser control Google Chromium delivered with SAP Business Client1014.12.2021
IS-ADEC-ETM2484231Missing Authorization Check in DIMP Industry Solution (Equipment and Tools Management & Bills of Services)4,314.12.2021
source: www.sap.com

*The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Copyright © 2022. SAPBasisWorld.com Privacy Policy