{"id":2687,"date":"2021-04-20T10:04:34","date_gmt":"2021-04-20T15:04:34","guid":{"rendered":"https:\/\/cert.pa\/?p=2687"},"modified":"2021-04-20T10:04:34","modified_gmt":"2021-04-20T15:04:34","slug":"csirt-panama-aviso-2021-04-19-sap-actualizacion-de-seguridad-de-sap-de-abril-de-2021","status":"publish","type":"post","link":"https:\/\/cert.pa\/?p=2687","title":{"rendered":"CSIRT Panam\u00e1 Aviso 2021-04-19 SAP: Actualizaci\u00f3n de seguridad de SAP de abril de 2021"},"content":{"rendered":"\n<p>CSIRT Panam\u00e1 Aviso 2021-04-19 SAP: Actualizaci\u00f3n de seguridad de SAP de abril de 2021<\/p>\n\n\n\n<p>Gravedad: Alta<br>Fecha de publicaci\u00f3n: Abril 19, 2021<br>\u00daltima revisi\u00f3n: Abril 19, 2021<br>Sitio web: https:\/\/sap.com\/<br>Sistemas Afectados:<br>\u2022 SAP Business Client, versi\u00f3n 6.5;<br>\u2022 SAP Commerce, versiones 1808, 1811, 1905, 2005 y 2011;<br>\u2022 SAP NetWeaver AS JAVA (MigrationService), versiones 7.10, 7.11, 7.30, 7.31, 7.40 y 7.50;<br>\u2022 SAP NetWeaver Master Data Management, versiones 710 y 710.750;<br>\u2022 SAP Solution Manager, versi\u00f3n 7.20;<br>\u2022 SAP NetWeaver AS for ABAP, versiones 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731 y 2011_1_752, 2020, 731, 740, 750 y 7.30;<br>\u2022 SAP S4 HANA (SAP Landscape Transformation) , versiones 101, 102, 103, 104 y 105;<br>\u2022 SAP Setup, versi\u00f3n 9.0;<br>\u2022 SAP NetWeaver AS for JAVA (Telnet Commands):<br>o ENGINEAPI, versiones 7.30, 7.31, 7.40 y 7.50;<br>o ESP_FRAMEWORK, versiones 7.10, 7.20, 7.30, 7.31, 7.40 y 7.50;<br>o SERVERCORE, versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;<br>o J2EE-FRMW, versiones 7.10, 7.20, 7.30, 7.31, 7.40 y 7.50;<br>\u2022 SAP NetWeaver AS for JAVA (Applications based on HTMLB for Java):<br>o EP-BASIS, versiones 7.10, 7.11, 7.30, 7.31, 7.40 y 7.50;<br>o FRAMEWORK-EXT , versiones 7.30, 7.31, 7.40 y 7.50;<br>o FRAMEWORK, versiones 7.10 y 7.11;<br>\u2022 SAP NetWeaver AS for JAVA (Customer Usage Provisioning Servlet), versiones 7.31, 7.40 y 7.50;<br>\u2022 SAP Process Integration, versiones 7.10, 7.20, 7.30, 7.31, 7.40 y 7.50;<br>\u2022 SAP Manufacturing Execution, versiones 15.1, 15.2, 15.3 y 15.4;<br>\u2022 SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java), versiones 7.00, 7.10, 7.11, 7.20, 7.30, 731, 7.40 y 7.50;<br>\u2022 SAP Focused RUN, versiones 200 y 300;<br>\u2022 SAP NetWeaver AS for JAVA (HTTP Service), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;<br>\u2022 SAP Fiori Apps 2.0 for Travel Management in SAP ERP, versi\u00f3n 608.<\/p>\n\n\n\n<p>V. Descripci\u00f3n<br>Se ha publicado la \u00faltima versi\u00f3n de WordPress que corrige 26 errores y 2 problemas de seguridad.<br>VI. Impacto<br>SAP, en su comunicaci\u00f3n mensual de parches de seguridad, ha emitido un total de 14 notas de seguridad y 5 actualizaciones de notas anteriores, siendo 3 de severidad cr\u00edtica, 5 de severidad alta y 11 de severidad media.<br>Los tipos de vulnerabilidades publicadas se corresponden con los siguientes:<br>\u2022 2 vulnerabilidades de XSS (Cross Site Scripting).<br>\u2022 1 vulnerabilidad de denegaci\u00f3n de servicio (DoS).<br>\u2022 5 vulnerabilidades de revelaci\u00f3n de informaci\u00f3n.<br>\u2022 5 vulnerabilidades de falta de comprobaci\u00f3n de autenticaci\u00f3n.<br>\u2022 1 vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo.<br>\u2022 5 vulnerabilidades de otro tipo.<br>Vulnerabilidad CVE-2021-27602: SAP Commerce, se corrige una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo que podr\u00eda permitir a un atacante no autorizado explotar las capacidades de scripting del motor de reglas para inyectar c\u00f3digo malicioso en las reglas de origen, y permitir as\u00ed la ejecuci\u00f3n remota de c\u00f3digo.<br>Para el resto de vulnerabilidades se han asignado los identificadores: CVE-2021-21481, CVE-2021-21482, CVE-2021-21483, CVE-2020-26832, CVE-2021-27608, CVE-2021-21485, CVE-2021-27598, CVE-2021-27603, CVE-2021-27599, CVE-2021-27604, CVE-2021-27600, CVE-2021-27601, CVE-2021-21491, CVE-2021-27609, CVE-2021-21492 y CVE-2021-27605.<br>III. Referencia a soluciones, herramientas e informaci\u00f3n<br>Instalar las actualizaciones o los parches necesarios, seg\u00fan indique el fabricante, mediante su sitio oficial, en el siguiente enlace: https:\/\/support.sap.com\/en\/my-support\/knowledge-base\/security-notes-news.html<br>Fuentes:<br>? Instituto Nacional de Ciberseguridad, INCIBE. Avisos Seguridad, Actualizaci\u00f3n de seguridad de SAP de abril de 2021. Recopilado en: https:\/\/www.incibe-cert.es\/alerta-temprana\/avisos-seguridad\/actualizacion-seguridad-sap-abril-2021<br>? SAP Security Patch Day \u2013 April 2021. Risham Guram. 13 de abril 2021. Recopilado en: https:\/\/wiki.scn.sap.com\/wiki\/pages\/viewpage.action?pageId=573801649<br>? SAP Security Patch Day April 2021: Serious Vulnerability Patched in SAP Commerce. Recopilado en: https:\/\/onapsis.com\/blog\/sap-security-patch-day-april-2021-serious-vulnerability-patched-sap-commerce<\/p>\n\n\n\n<p>Informaci\u00f3n de contacto<br>CSIRT PANAMA<br>Computer Security Incident Response Team Autoridad Nacional para la Innovacion Gubernamental<br>E-Mail: info@cert.pa<br>Phone: +507 520-CERT (2378)<br>Web: https:\/\/cert.pa<br>Twitter: @CSIRTPanama<br>Key ID: 16F2B124<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CSIRT Panam\u00e1 Aviso 2021-04-19 SAP: Actualizaci\u00f3n de seguridad de SAP de abril de 2021 Gravedad: AltaFecha de publicaci\u00f3n: Abril 19, 2021\u00daltima revisi\u00f3n: Abril 19, 2021Sitio web: https:\/\/sap.com\/Sistemas Afectados:\u2022 SAP Business Client, versi\u00f3n 6.5;\u2022 SAP Commerce,&#8230;<\/p>\n","protected":false},"author":4,"featured_media":2578,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[4],"tags":[72,135],"class_list":["post-2687","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-avisos-de-seguridad","tag-avisos-de-seguridad","tag-sap"],"_links":{"self":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/2687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2687"}],"version-history":[{"count":2,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/2687\/revisions"}],"predecessor-version":[{"id":2689,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/2687\/revisions\/2689"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/media\/2578"}],"wp:attachment":[{"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2687"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}