Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

SAP Patches Serious Code Injection, DoS Vulnerabilities

German software maker SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities.

German software maker SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities.

SAP also published a total of 7 other updates for previously released security notes on this month’s Patch Day, for a total of 17 Notes. Five of these carry the highest severity rating of Hot News.

Dealing with multiple vulnerabilities in SAP Business Warehouse, the most important of these issues carry a CVSS score of 9.9.

The first of the notes addressed CVE-2021-21465, which SAP describes as multiple issues in Business Warehouse (Database Interface). These bugs are an SQL Injection and a missing authorization check (that features a CVSS score of 6.5), Onapsis, a firm that secures Oracle and SAP applications, explains. 

[ ALSO SEE: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical ]

“An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” Onapsis notes in a blog shared with SecurityWeek. Minimum privileges are required for successful exploitation.

The missing authorization check could be exploited to read any database table. Because SAP decided to fix the bug through disabling the function module, applying the patch will result in a dump of all of the applications that call this function module.

The second serious issue addresses CVE-2021-21466, a code injection flaw in both Business Warehouse and BW/4HANA.

Advertisement. Scroll to continue reading.

Caused by insufficient input validation, the flaw could be abused to inject malicious code that gets stored persistently as a report and which could be executed afterwards, potentially affecting the confidentiality, integrity, and availability of systems. The attacker needs low privileges for exploitation.

The remaining three are updates for fixes previously released in April 2018 (updates for the Chrome browser in Business Client – CVSS score of 10), November 2020 (privilege escalation in NetWeaver Application Server for Java – CVSS score of 9.1), and December 2020 (code injection in Business Warehouse – CVSS score of 9.1).

A single advisory with a severity rating of High Priority was released this month, to address CVE-2021-21446 (CVSS score of 7.5), a denial of service issue in SAP NetWeaver AS ABAP and ABAP Platform.

A second warning that SAP released prior to the January 2021 Patch day fixes “an issue in the binding process of the Central Order service to a Cloud Foundry application” that could have allowed “unauthorized SAP employees to access the binding credentials of the service.”

Assessed as Medium and Low Priority, the remaining security notes address vulnerabilities in SAP Commerce Cloud, BusinessObjects, Master Data Governance, NetWeaver, GUI for Windows, 3D Visual Enterprise Viewer, Banking Services, and EPM add-in.

Related: SAP Releases Four ‘Hot News’ Notes on December 2020 Patch Day

Related: SAP Patches Several Critical Vulnerabilities With November 2020 Security Updates

Related: SAP Patches Critical Vulnerability in CA Introscope Enterprise Manager

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...