The latest SAP update includes security patches for five new vulnerabilities, three of which are identified as critical. One of the updates addresses 63 security flaws in Chromium for SAP Business Client v90.0.4430.93 and received a score of 10/10 according to the Common Vulnerability Scoring System (CVSS).
The remaining two critical updates received CVSS scores of 9.9/10 and corrected a remote code execution flaw in SAP Commerce and a code injection flaw in Business Warehouse and BW/4HANA. The remaining fixes in this release also address two medium severity flaws and a low severity issue.
The remaining top CVSS-scored flaws reside in SAP Business One and are related to SAP Chef Cookbooks, which are implementations for managing critical infrastructure on virtual machines.
Of these flaws, the first two affect Business One for SAP HANA and its successful exploitation would allow arbitrary code injection, which hackers could take advantage of to take full control of an application. The third flaw lies in Business One on SQL Server and its exploitation would allow the disclosure of sensitive information.
The third high-severity patch addresses a code injection issue in NetWeaver AS ABAP that could allow attackers with access to the local SAP system to read and overwrite data and even launch a denial of service (DoS) attack.
Medium security updates patch vulnerabilities in SAP Commerce and Process Integration, while the low severity note resolves an error in the SAP GUI for Windows. The day of the May 2021 SAP security patch also saw the release of updates for two medium severity vulnerabilities affecting NetWeaver Application Server Java and SAP Focused RUN, respectively.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
