SAP’s security patch day for January 2021 has seen the release of 10 OSS SAP security notes and 7 updates to existing notes. 1 OSS notes has been classified as low, 10 OSS notes have been classified as medium, 1 OSS notes has been classified as high and 5 as critical, based on CVSS v3.0 Rating.
3 OSS notes have been released this month for SAP NetWeaver AS JAVA and SAP Business Warehouse.  2 notes have been released for SAP NetWeaver AS ABAP. Single notes have been released for SAP Business Client, SAP Commerce Cloud, SAP BusinessObjects, SAP Master Data Governance, SAP GUI, SAP NetWeaver Master Data Management, SAP 3D Visual Enterprise Viewer, SAP Banking Services and SAP EPM ADD-IN.
Â
    Vulnerabilities: January 2021 Highlights
[CVE-2021-21465] Multiple vulnerabilities in SAP Business Warehouse (Database Interface) (SAP Note 2986980)
Two vulnerabilities have been discovered in SAP BW:
SQL Injection – An attacker with low level privileges can execute SQL commands which the database will run without properly sanitizing the untrusted data leading to SQL injection vulnerability. This can fully compromise an affected system.
Missing Authorisation Checks – The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table.
Â
[CVE-2021-21466] Code Injection in SAP Business Warehouse and SAP BW/4HANA (SAP Note 2999854)
SAP Business Warehouse and SAP BW/4HANA allow a low privileged attacker to inject code using a remote enabled function module over the network. This is due to a lack of input validation, an attacker with appropriate access can execute the function module and inject malicious ABAP code.
Â
[CVE-2021-21446] Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform (SAP Note 3000306)
SAP NetWeaver AS ABAP and ABAP Platform allow an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. ABAP Server’s and ABAP Platform’s ABAP Keyword Documentation come with a set of demo examples, embedded in the documentation. When executing such examples from the web version of the ABAP Keyword Documentation, users can lock themselves, which is experienced for these users as “service not available”.
Â
                 About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
