SAP releases January 2021 security updates
SAP has released a total of 17 new and updated security notes. Five of them have the highest Hot News severity ratings.
The first of the notes (CVE-2021-21465), SAP describes as Multiple vulnerabilities in SAP Business Warehouse (Database Interface). It requires minimal privileges to operate successfully. Incorrectly sanitizing the provided SQL commands would allow an attacker to execute arbitrary SQL commands on the database, which could result in a complete compromise of the affected system. SAP fixed the bug by disabling the function module, applying the patch will dump all applications calling this function module.
The second one relates to CVE-2021-21466, code injection in both the Business Warehouse and BW / 4HANA. The vulnerability could be exploited to inject malicious code that is permanently saved as a report and which could be executed subsequently, which could affect the confidentiality, integrity, and availability of systems. An attacker needs low privileges to exploit it.
The other three are updates to fixes previously released in April 2018 (Updates to Chrome Browser in Business Client – CVSS score 10), November 2020 (Privilege escalation in NetWeaver Application Server for Java – CVSS score 9.1), and December 2020 (Business Warehouse code injection – CVSS score 9.1).
An exploit for a critical bug in SAP SolMan is publicly available
The exploit is fully functional and targets CVE-2020-6207 vulnerability. By exploiting the vulnerability, an attacker can compromise all SMDAgents connected to SAP Solution Manager. A successful attack using a vulnerability can impact an organization’s cybersecurity, compromising critical data, SAP applications, and business processes.
An attacker who gains access to the SolMan platform can potentially compromise any business system connected to SolMan, gain access to confidential data, delete data, and assign superuser privileges to any new user.
Microsoft Teams integrates with SAP business applications
Microsoft and SAP announced they will accelerate the implementation of SAP S/4HANA on Azure and build new integrations between Teams and SAP S/4HANA, SAP SuccessFactors and SAP Customer Experience. Microsoft and SAP have been working to launch SAP business software and services on Azure since 2011.
These integrations are expected to be available to customers by mid-2021.