In its latest security updates, tech giant SAP released nine security patches including fixes for SAP NetWeaver and two other newly detected vulnerabilities.
The SAP MII Vulnerability:
One of them is a vulnerability found in the SAP Manufacturing Integration and Intelligence(MII) application. This was a critical code injection vulnerability, tracked as CVE-2021-21480, that gained a near-maximum severity CVSS grade of 9.9.
SAP MII is an application for coordinating manufacturing operations with back-office business processes and standardized data.
It also provides analytics and workflow tools for determining issues in the production process and helps to enhance its performance.
- Vulnerabilities in this could resource threat actors to seize a request to the server, inject malevolent JSP code, and forward it to the server. This form of attack is known as a man-in-the-middle (MitM) attack.
- When the dashboard deployed by users i.e. user having at least the SAP_XMII_Developer role access, is opened, malicious code on the dashboard gets implemented subsequently forwarding to remote code execution in the servers and enable privilege escalation.
- The malicious JSP code can hold certain OS commands, using which threat actors can read sensitive, private files stored on the server, modify and even erase files in the server.
The SAP NetWeaver vulnerability:
The other vulnerability is one in the SAP NetWeaver application which is a software stack for many of SAP SE’s applications.
A lacking administrative authorization check in the SAP NetWeaver has eared a similar critical rating on the CVSS score of 9.6. This vulnerability is tracked as CVE-2021-21481.
- The vulnerability consequences in threat actors being able to implement remote execution of code to gain full command of vulnerable systems.
- They can then access configuration objects, including ones that allow administrative privileges thus compromising system confidentiality, integrity, and availability.
The SAP HANA vulnerability:
Perhaps, a vulnerability in the SAP HANA LDAP is one of the most remarkable barring the aforementioned.
SAP HANA is an in-memory, column-guided, relational database management system whose primary function is to store and retrieve data as requested by the applications.
This seemingly severe vulnerability, tracked as CVE-2021-21484, is a prospective authentication bypass vulnerability that could have implemented the illegal circumvention of the application.
The vulnerability results in the bypassing of the LDAP authentication in the HANA Database version 2.0 if the attached LDAP directory server has enabled unattested link configuration.
Other security updates screen less stringent vulnerabilities in SAP’s enterprise software packages.