SAP Patches Serious Code Injection, DoS Vulnerabilities

German software maker SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities.


SAP also published a total of 7 other updates for previously released security notes on this month’s Patch Day, for a total of 17 Notes. Five of these carry the highest severity rating of Hot News.


Dealing with multiple vulnerabilities in SAP Business Warehouse, the most important of these issues carry a CVSS score of 9.9.


The first of the notes addressed CVE-2021-21465, which SAP describes as multiple issues in Business Warehouse (Database Interface). These bugs are an SQL Injection and a missing authorization check (that features a CVSS score of 6.5), Onapsis, a firm that secures Oracle and SAP applications, explains. 


[ ALSO SEE: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical ]


“An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” Onapsis notes in a blog shared with SecurityWeek. Minimum privileges are required for successful exploitation.


The missing authorization check could be exploited to read any database table. Because SAP decided to fix the bug through disabling the function module, applying the patch will result in a dump of all of the applications that call this function module.


The second serious issue addresses CVE-2021-21466, a code injection flaw in both Business Warehouse and BW/4HANA.


Caused by insufficient input validation, the flaw could be abused to inject malicious code that gets st ..