“On 13th of April 2021, SAP Security Patch Day saw the release of 14 Security Notes,” the most dangerous of which affects its Business Client product.
The SAP Business Client Bug
The vulnerability resides in the Business Client product, which is a user interface serving as an entry point to multiple SAP business applications. It is noteworthy that the issue is located in the Chromium-based browser control, not in the app itself. Technical details about the flaw are not available; so far, the only known thing is that it’s rated 10 out of 10 in terms of severity.
CVE-2021-27602
Another vulnerability fixed in this month’s set of patches is CVE-2021-27602, a bug in SAP’s Backoffice app:
SAP Commerce, versions – 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application, according to the description provided by the National Vulnerability Database.
CVE-2021-21481
The company also addressed a security flaw in its NetWeaver product, identified as CVE-2021-21481:
The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.
The CVE-2021-21481 is quite severe as well, with a score of 9.6 out of 10.
The rest of the patches released this week fix several medium-severity flaws. Multiple vulnerabilities in the same product can be fixed by a single security note, SAP said.
Hackers exploiting bugs in SAP’s mission-critical apps
Earlier this month, we reported hackers exploiting several security vulnerabilities in popular mission-critical SAP applications. The vulnerabilities enabled full takeover and give access to the targeted vulnerable organizations. The company pointed that the lack of timely mitigations in many organizations usually leaves an exploit window open for attackers. Therefore, applying all security patches once they are made available should be highly prioritized by all affected entities.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: