SAP Security Notes Review: March 2021
09th March 2021
SAP’s security patch day for March 2021 has seen the release of 9 OSS SAP security notes and 4 updates to existing notes. 8 OSS notes have been classified as medium, 1 OSS notes have been classified as high and 4 as critical, based on CVSS v3.0 Rating.
2 OSS notes have been released this month for SAP NetWeaver AS JAVA and SAP 3D Visual Enterprise Viewer. Single notes have been released for SAP Solution Manager, SAP Business Client, SAP MII, SAP NetWeaver AS JAVA, SAP HANA, SAP Enterprise Financial Services, SAP NetWeaver Knowledge Management, SAP Payment Engine, SAP 3D Visual Enterprise Viewer, SAP BusinessObjects and SAP ERP.
Vulnerabilities: March 2021 Highlights
[CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence (SAP Note 3022622)
SAP MII allows users to create dashboards and save them as JSP through the Self Service Composition Environment. An attacker can intercept a request to the server and inject malicious JSP code into the request. The malicious JSP code can contain certain OS commands, through which an attacker can read sensitive files in the server, modify files, or even delete contents in the server thus compromising the confidentiality, integrity and availability of the server hosting the SAP MII application.
[CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) (SAP Note 3022422)
The MigrationService, which is part of SAP NetWeaver, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.
[CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios (SAP Note 3017378)
LDAP authentication in SAP HANA can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.