Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

SAP Patches Serious Code Injection, DoS Vulnerabilities

German software maker SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities.

German software maker SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities.

SAP also published a total of 7 other updates for previously released security notes on this month’s Patch Day, for a total of 17 Notes. Five of these carry the highest severity rating of Hot News.

Dealing with multiple vulnerabilities in SAP Business Warehouse, the most important of these issues carry a CVSS score of 9.9.

The first of the notes addressed CVE-2021-21465, which SAP describes as multiple issues in Business Warehouse (Database Interface). These bugs are an SQL Injection and a missing authorization check (that features a CVSS score of 6.5), Onapsis, a firm that secures Oracle and SAP applications, explains. 

[ ALSO SEE: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical ]

“An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” Onapsis notes in a blog shared with SecurityWeek. Minimum privileges are required for successful exploitation.

The missing authorization check could be exploited to read any database table. Because SAP decided to fix the bug through disabling the function module, applying the patch will result in a dump of all of the applications that call this function module.

The second serious issue addresses CVE-2021-21466, a code injection flaw in both Business Warehouse and BW/4HANA.

Caused by insufficient input validation, the flaw could be abused to inject malicious code that gets stored persistently as a report and which could be executed afterwards, potentially affecting the confidentiality, integrity, and availability of systems. The attacker needs low privileges for exploitation.

The remaining three are updates for fixes previously released in April 2018 (updates for the Chrome browser in Business Client – CVSS score of 10), November 2020 (privilege escalation in NetWeaver Application Server for Java – CVSS score of 9.1), and December 2020 (code injection in Business Warehouse – CVSS score of 9.1).

A single advisory with a severity rating of High Priority was released this month, to address CVE-2021-21446 (CVSS score of 7.5), a denial of service issue in SAP NetWeaver AS ABAP and ABAP Platform.

A second warning that SAP released prior to the January 2021 Patch day fixes “an issue in the binding process of the Central Order service to a Cloud Foundry application” that could have allowed “unauthorized SAP employees to access the binding credentials of the service.”

Assessed as Medium and Low Priority, the remaining security notes address vulnerabilities in SAP Commerce Cloud, BusinessObjects, Master Data Governance, NetWeaver, GUI for Windows, 3D Visual Enterprise Viewer, Banking Services, and EPM add-in.

Related: SAP Releases Four ‘Hot News’ Notes on December 2020 Patch Day

Related: SAP Patches Several Critical Vulnerabilities With November 2020 Security Updates

Related: SAP Patches Critical Vulnerability in CA Introscope Enterprise Manager

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.