SAP Security Notes Review: April 2021
13th April 2021
SAP’s security patch day for April 2021 has seen the release of 14 OSS SAP security notes and 5 updates to existing notes. 11 OSS notes have been classified as medium, 5 OSS notes have been classified as high and 3 as critical, based on CVSS v3.0 Rating.
7 OSS notes have been released this month for SAP NetWeaver AS JAVA. 2 have been released for SAP NetWeaver AS ABAP and SAP PI. Single notes have been released for SAP Solution Manager, SAP Business Client, SAP Commerce, SAP NetWeaver Master Data Management, SAP Setup, SAP Manufacturing Execution, SAP Focused RUN and SAP Fiori.
Vulnerabilities: April 2021 Highlights
[CVE-2021-27602] Remote Code Execution vulnerability in Source Rules of SAP Commerce (SAP Note 3040210)
SAP Commerce Backoffice allows users with certain authorisations to inject malicious code into the source rules and perform remote code execution.
[CVE-2021-21482] Information Disclosure in SAP NetWeaver Master Data Management (SAP Note 3017908)
Unlike regular user accounts, the MDM administrative accounts cannot be locked after multiple unsuccessful connection retries. This means an attacker could brute force the password and obtain access to sensitive data.
[CVE-2021-21485] Information Disclosure in SAP NetWeaver AS for Java (Telnet Commands) (SAP Note 3001824)
An unauthorised user could trick an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain password information of a privileged user.
[CVE-2021-27603] Denial of Service(DoS) in SAP NetWeaver AS of ABAP (SAP Note 3028729)
An RFC enabled function module in SAP NetWeaver AS ABAP allows an attacker to keep a work process busy for any length of time. The attacker could call this function module multiple times to block all work processes and affect the availability of the system.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.