SAP has released 12 new security notes, as well as updates to three previously announced security notes, as part of its July 2021 security patch day.
The two most serious vulnerabilities in NetWeaver are addressed in the most crucial of the new security bulletins. The first is a denial of service (CVE-2021-33671, CVSS score of 7.6), while the second is a missing permission check (CVE-2021-33671, CVSS score of 7.6). (CVE-2021-33670, CVSS score of 7.5).
The first vulnerability affects SAP NetWeaver Guided Procedures (SAP GP), a component of the Composite Application Framework (CAF) that allows users to access numerous backend systems based on their roles. The missing authorization was discovered in GP’s central administration interface, and it could result in illegal data access and manipulation.
The second flaw exists because HTTP requests are not adequately validated when monitoring data is saved in SAP NetWeaver AS for Java (Http Service). As a result, an attacker who can manipulate HTTP requests can exhaust system resources, resulting in a denial of service.
SAP also released nine new security notes, one for a low-severity bug in NetWeaver AS for JAVA and another for a medium-severity bug in CRM ABAP, NetWeaver AS ABAP and ABAP Platform, Lumira Server, Web Dispatcher and Internet Communication Manager, NetWeaver AS for Java (Enterprise Portal), Business Objects Web Intelligence (BI Launchpad), and 3D Visual Enterprise Viewer (Administrator).
In addition, SAP updated two Hot News security notes: one for security upgrades for the Chromium browser in SAP Business Client (CVSS score 10) and another for an incorrect authentication issue in NetWeaver ABAP Server and ABAP Platform (CVSS score of 9) that was first resolved in June 2021.
A third revised security note in SAP Process Integration addresses a medium severity possible XML External Entity (XXE) issue (ESR Java Mappings).