Remotely Exploitable Flaws in SAP® Business Warehouse and SAP® BW/4HANA

news vulnerability

In a series of multiple vulnerabilities discovered in 2020 by the SEC Consult Vulnerability Lab and reported to SAP SE, another two were patched on today's SAP Patch Tuesday January 2021. These include patches for critical issues in the ABAP stack of SAP Business Warehouse and SAP BW/4HANA.

Hand pointing at SAP - SEC Consult


Tagged with CVSSv3 scores of 9.9, CVE-2021-21465 and CVE-2021-21466 allow remote attackers holding minimal privileges to take complete control of affected application servers. As such, the vulnerable components endanger not only the confidentiality, but also the availability and integrity of business data backed in corporate IT infrastructures. Reported by SEC Consult’s security researcher Fabian Hagg, SAP today introduced the corresponding patches to close the gaps. We highly recommend implementing security note 2986980 and 2999854 in a timely manner to protect against any attacks targeting the identified flaws.

These are the latest in a set of vulnerabilities identified in the Business Warehouse component. Another Code Injection (CVE-2020-26838) was found by SEC Consult’s researcher Raschin Tavakoli and has already been patched in the December Patch Tuesday 2020. We advise to double-check if all previously identified vulnerabilities we reported last year (see table below) have been closed accordingly. Since we know that applying patches and security measures to mission-critical IT systems can be a complex and tough task, we align here with SAP’s disclosure guidelines and provide a grace period before publication of detailed information on our findings.

At last, we would like to thank the SAP Product Security Response Team (PSRT) once again for their cooperation and the professional handling of vulnerabilities which we submitted in 2020.

Researcher: Fabian Hagg, Alexander Meier, Raschin Tavakoli

SAP Security Note Title Status Vulnerability ID CVSSv3 Rating
2986980 SQL Injection vulnerability in SAP Business Warehouse (Database Interface) Fixed 01-2021 CVE-2021-21465 9.9
2999854 Code Injection in SAP Business Warehouse and SAP BW/4HANA Fixed 01-2021 CVE-2021-21466 9.9
2986980 Missing Authorization Check in SAP Business Warehouse (Database Interface) Fixed 01-2021 CVE-2021-21468 6.5
2993132 Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S/4HANA (SAP Landscape Transformation) Fixed 12-2020 CVE-2020-26832 7.6
2983367 Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW/4HANA Fixed 12-2020 CVE-2020-26838 9.1
2973735 Code Injection in SAP AS ABAP and S/4 HANA (DMIS) Fixed 11-2020 CVE-2020-26808 9.1
2958563 Code Injection vulnerability in SAP NetWeaver (ABAP) and ABAP Platform Fixed 09-2020 CVE-2020-6318 9.1
2835979* Code Injection vulnerability in Service Data Download Fixed 05-2020 CVE-2020-6262 9.9

More On The Topic