SAP releases critical security patches for every month.
These updates are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape from getting attacked by such vulnerabilities.
Please find below monthly updates on the security patches (We will keep updating this post with new patch day posts from SAP)
What is a CVSS score?
CVSS stands for Common Vulnerability Scoring System which is an industry standard to provide ratings/scores to severe security related vulnerabilities which could hamper the systems. SAP assigns a particular CVSS score depending on the risk that a particular issue provides to the complete SAP system.
CVSS score ranges from 0 (Lowest) to 10 (High).
SAP Security Patch Day updates
[UPDATE MAY 2021]
For the May 2021 SAP’s Patch day, SAP released new 6 security notes. We will provide details of the most critical ones having more than 8 CVSS score.
- Multiple vulnerabilities in Chromium which is used by SAP Business Client. [CVSS: 10]
Solution: Apply latest patch for SAP Business Client as mentioned in note 2622660. - Vulnerability in both on-premise installations of SAP Commerce as well as SAP Commerce Cloud.[CVSS: 9.9]
Solution: Apply latest patch as per note 3040210.
Workaround: If patching is not an option, then verify the permissions that grant create and change privileges to the SourceRule type. - Code Injection Vulnerability in SAP BW and SAP BW/4 Hana. [CVSS: 9.9]
Solution: Implement attached instructions as per note 2999854 using SNOTE to correct the function RSDRC_ITAB_LOGGING. - Code Injection Vulnerability in SAP Netweaver AS ABAP using report RDDPUTJR. [CVSS: 8.2]
Solution: Implement note 3046610 using SNOTE.
Workaround: Remove authorization for the users to execute SE38/SA38 for report RDDPUTJR.
For more information, check below wiki SCN SAP monthly blogs:
SAP Security Patch Day – August 2021
SAP Security Patch Day – July 2021
SAP Security Patch Day – June 2021
SAP Security Patch Day – May 2021
SAP Security Patch Day – April 2021
SAP Security Patch Day – March 2021
SAP Security Patch Day – February 2021
SAP Security Patch Day – January 2021