On January patch day, SAP eliminated two critical security gaps in its business intelligence software Business Warehouse (BW) ; one of them also concerns SAP BW / 4HANA . A remote attacker with low access rights could misuse the loopholes to completely compromise the system, which is why admins should react promptly. Updates are also available for SAP NetWeaver AS ABAP (security vulnerability with “high” rating) and for a number of products that target various “medium” and one “low” vulnerabilities

SAP’s Advisory for Security Patchday summarizes all updates as always. The summary also points out some updated safety information from the previous months, which users of the relevant products should also take a look at. Security notes linked in the advisory provide additional and update information in the protected customer area.

BW & BW / 4HANA: Vulnerable versions and updates More information on the two critical security vulnerabilities CVE – 2021 – 21465 and CVE – 2021 – 21466 provides the National Vulnerability Database (NVD). Accordingly, via CVE – 2021 – 21465 is based on insufficient verification or ” Clean up “of SQL commands by the BW database interface before they are executed. Using SQL injection, the SAP system can ultimately be completely taken over by a remote attacker with low access rights.

In this context, SAP mentions CVE as an additional CVE ID – 2021 – 21468 – a “medium” gap, which also affects the database interface and which, thanks to the lack of authentication checks, can enable any table to be read out.

To take advantage of the second critical loophole CVE – 2021 – 21466 are According to the NVD, at least low access rights are also required. Using a certain function module, it is possible to inject code remotely in order to generate a harmful ABAP report. In this way, attackers could access sensitive data or execute commands on the system which, among other things, could lead to a denial of service.

CVE – 2021 – 21465 and the medium gap CVE – 2021 – 21468 concern SAP BW in the versions 710, 711, 730, 731, 731, 750, 751 , 752, 753, 754, 755 and 782 . Via CVE – 2021 – 21466 are SAP BW 700, 701, 702, 711, 730, 731, 740, 750 and 782 and SAP BW4HANA 100 and 200 vulnerable. Update information can be found in SAP’s Advisory.

(ovw)