SAP Security Notes Review: March 2021

SAP Security Notes - April21

Share This Post

Share on linkedin
Share on twitter
Share on facebook
Share on email

SAP Security Notes Review: March 2021

 

09th March 2021

SAP’s security patch day for March 2021 has seen the release of 9 OSS SAP security notes and 4 updates to existing notes. 8 OSS notes have been classified as medium, 1 OSS notes have been classified as high and 4 as critical, based on CVSS v3.0 Rating.

A bar graph showing differeny levels of SAP security March 2021

2 OSS notes have been released this month for SAP NetWeaver AS JAVA and SAP 3D Visual Enterprise Viewer.  Single notes have been released for SAP Solution Manager, SAP Business Client, SAP MII, SAP NetWeaver AS JAVA, SAP HANA, SAP Enterprise Financial Services, SAP NetWeaver Knowledge Management, SAP Payment Engine, SAP 3D Visual Enterprise Viewer, SAP BusinessObjects and SAP ERP.

Various graphs showing the security levels for different SAP security modules March 2021

 

Vulnerabilities: March 2021 Highlights

[CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence (SAP Note 3022622)

SAP MII allows users to create dashboards and save them as JSP through the Self Service Composition Environment. An attacker can intercept a request to the server and inject malicious JSP code into the request.  The malicious JSP code can contain certain OS commands, through which an attacker can read sensitive files in the server, modify files, or even delete contents in the server thus compromising the confidentiality, integrity and availability of the server hosting the SAP MII application.

 

[CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) (SAP Note 3022422)

The MigrationService, which is part of SAP NetWeaver, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.

 

[CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios (SAP Note 3017378)

LDAP authentication in SAP HANA can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.

 

About this review

On the second Tuesday of each month, SAP release security updates to their software products.  At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

Search by a topic below...

Read our latest articles...

Didn’t find what you are looking for? Send us your questions.

We are here to help.