SAP Security Patch Day June 2021: Multiple Memory Corruption Vulns Can Lead to System Crash

This blog originally appeared on the Onapsis blog.

  • June Summary — 20 new and updated SAP security patches released, including two HotNews Notes and four High Priority Notes

  • Highest CVSS Score of New Notes is 9.0 — Improper Authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform can be used to bypass protection against external calls

  • Onapsis Research Labs Collaboration — 20 vulnerabilities detected, patched with six SAP Security Notes

SAP has published 20 new and updated Security Notes on its June Patch Day. This number includes two HotNews Notes and four High Priority Notes.


Fortunately, one of the two HotNews Notes is just a minor update on SAP Security Note #3040210, originally published on SAP’s April Patch Day. The note fixes a serious Remote Code Execution vulnerability in the Rules Engine of SAP Commerce. The new version of that note only contains an updated link on a FAQ document.


The really remarkable aspect of this Patch Day is the fact that three of the four High Priority Notes affect SAP kernel processes that exist since the beginning of the SAP R/3 era and they can be seen as the heart of an SAP NetWeaver AS ABAP and ABAP Platform.