The SAP Business Client Bug
The vulnerability resides in the Business Client product, which is a user interface serving as an entry point to multiple SAP business applications. It is noteworthy that the issue is located in the Chromium-based browser control, not in the app itself. Technical details about the flaw are not available; so far, the only known thing is that it’s rated 10 out of 10 in terms of severity.
Another vulnerability fixed in this month’s set of patches is CVE-2021-27602, a bug in SAP’s Backoffice app:
SAP Commerce, versions – 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application, according to the description provided by the National Vulnerability Database.
The company also addressed a security flaw in its NetWeaver product, identified as CVE-2021-21481:
The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.
The CVE-2021-21481 is quite severe as well, with a score of 9.6 out of 10.
The rest of the patches released this week fix several medium-severity flaws. Multiple vulnerabilities in the same product can be fixed by a single security note, SAP said.
Hackers exploiting bugs in SAP’s mission-critical apps
Earlier this month, we reported hackers exploiting several security vulnerabilities in popular mission-critical SAP applications. The vulnerabilities enabled full takeover and give access to the targeted vulnerable organizations. The company pointed that the lack of timely mitigations in many organizations usually leaves an exploit window open for attackers. Therefore, applying all security patches once they are made available should be highly prioritized by all affected entities.