SAP Patches Serious Code Injection, DoS Vulnerabilities

German software maker SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities.

SAP also published a total of 7 other updates for previously released security notes on this month’s Patch Day, for a total of 17 Notes. Five of these carry the highest severity rating of Hot News.

Dealing with multiple vulnerabilities in SAP Business Warehouse, the most important of these issues carry a CVSS score of 9.9.

The first of the notes addressed CVE-2021-21465, which SAP describes as multiple issues in Business Warehouse (Database Interface). These bugs are an SQL Injection and a missing authorization check (that features a CVSS score of 6.5), Onapsis, a firm that secures Oracle and SAP applications, explains. 

[ ALSO SEE: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical ]

“An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” Onapsis notes in a blog shared with SecurityWeek. Minimum privileges are required for successful exploitation.

The missing authorization check could be exploited to read any database table. Because SAP decided to fix the bug through disabling the function module, applying the patch will result in a dump of all of the applications that call this function module.

The second serious issue addresses CVE-2021-21466, a code injection flaw in both Business Warehouse and BW/4HANA.

Caused by insufficient input validation, the flaw could be abused to inject malicious code that gets stored persistently as a report and which could be executed afterwards, potentially affecting the confidentiality, integrity, and availability of systems. The attacker needs low privileges for exploitation.

The remaining three are updates for fixes previously released in April 2018 (updates for the Chrome browser in Business Client – CVSS score of 10), November 2020 (privilege escalation in NetWeaver Application Server for Java – CVSS score of 9.1), and December 2020 (code injection in Business Warehouse – CVSS score of 9.1).

A single advisory with a severity rating of High Priority was released this month, to address CVE-2021-21446 (CVSS score of 7.5), a denial of service issue in SAP NetWeaver AS ABAP and ABAP Platform.

A second warning that SAP released prior to the January 2021 Patch day fixes “an issue in the binding process of the Central Order service to a Cloud Foundry application” that could have allowed “unauthorized SAP employees to access the binding credentials of the service.”

Assessed as Medium and Low Priority, the remaining security notes address vulnerabilities in SAP Commerce Cloud, BusinessObjects, Master Data Governance, NetWeaver, GUI for Windows, 3D Visual Enterprise Viewer, Banking Services, and EPM add-in.

Related: SAP Releases Four ‘Hot News’ Notes on December 2020 Patch Day

Related: SAP Patches Several Critical Vulnerabilities With November 2020 Security Updates

Related: SAP Patches Critical Vulnerability in CA Introscope Enterprise Manager