This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 14th of December 2021, SAP Security Patch Day saw the release of 10 Security Notes. There were 5 updates to previously released Patch Day Security Notes.
List of security notes released on December Patch Day:
| Note# | Title | Priority | CVSS |
| 2622660 | Update to Security Note released on Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product – SAP Business Client, Version – 6.5 | Hot News | 10 |
| 3109577 | Code Execution vulnerability in SAP Commerce, localization for China Related CVEs - CVE-2021-21341,CVE-2021-21342,CVE-2021-21349,CVE-2021-21343,CVE-2021-21344,CVE-2021-21346,CVE-2021-21347,CVE-2021-21350,CVE-2021-21351,CVE-2021-21345,CVE-2021-21348 Product - SAP Commerce, localization for China, Version - 2001 | Hot News | 9.9 |
| 3119365 | [CVE-2021-44231] Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools) Product - SAP ABAP Server & ABAP Platform (Translation Tools), Versions - 701, 740,750,751,752,753,754,755,756,804 | Hot News | 9.9 |
| 3089831 | Update to Security Note released on September 2021 Patch Day: | Hot News | 9.9 |
| 3114134 | [CVE-2021-42064] SQL Injection vulnerability in SAP Commerce Product - SAP Commerce, Versions - 1905, 2005, 2105, 2011 | High | 8.8 |
| 3102769 | [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse Product - SAP Knowledge Warehouse, Versions - 7.30, 7.31, 7.40, 7.50 | High | 8.8 |
| 3123196 | [CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP Product - SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 | High | 8.4 |
| 3077635 | [CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices Product - SAP SuccessFactors Mobile Application (for Android devices), Versions - <2108 | High | 7.8 |
| 3124094 | [CVE-2021-44232] Directory Traversal vulnerability in SAF-T Framework Product - SAF-T Framework, Versions - SAP_FIN 617, 618, 720, 730, SAP_APPL 600, 602, 603, 604, 605, 606, S4CORE 102, 103, 104, 105 | High | 7.7 |
| 3113593 | Denial of service (DOS) in SAP Commerce Related CVE - CVE-2021-37714 Product - SAP Commerce, Versions - 1905, 2005, 2105, 2011 | High | 7.5 |
| 3000663 | Update to Security Note released on July 2021 Patch Day: | Medium | 5.4 |
| 3121165 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | Medium | 4.3 |
| 2843016 | Update to Security Note released on November 2019 Patch Day: [CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler Product - SAP UI, Versions - 7.5, 7.51, 7.52, 7.53, 7.54 Product - SAP UI 700, Versions - 2.0 | Medium | 4.3 |
| 3103677 | [CVE-2021-42061] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (Web Intelligence) Product - SAP BusinessObjects Business Intelligence Platform, Version - 420 | Medium | 4.1 |
| 3080816 | [CVE-2021-44233] Missing Authorization check in GRC Access Control Product - SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750 | Low | 2.4 |
Note: Graphs could not be added due to an issue in the editor.
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021
