CVSS severity scores range from 2.4 to 9.9

SAP squashes SQL injection, XSS bugs in December patch round

In the final official monthly patch round of the year, SAP has released fixes designed to tackle a range of critical security vulnerabilities.

On Tuesday (December 14), the tech giant published a security advisory detailing the latest batch of patches, which includes fixes for vulnerabilities that can be exploited for code execution, denial of service (DoS), and to perform cross-site scripting (XSS) attacks.

MUST READ Log4j: Security pros call for urgent patch implementation as in-the-wild exploitation continues

An SAP advisory lists code execution issues in the localized, Chinese version of SAP Commerce v. 2001. In total, 11 related CVEs point to flaws within XStream, a Java library used to serialize objects to XML.

Before version 1.4.16, the library contained vulnerabilities allowing attackers to manipulate streams to expose data, to overload CPU resources, to perform server-side forgery requests (SSRF), and to load and execute arbitrary code, among other issues.

The code execution issue, overall, has been assigned a near-maximum CVSS severity score of 9.9.

SAP also resolved CVE-2021-44231 – CVSS score 9.9 – which is a code injection flaw caused by an error in text extraction features of the Translation Tools section in SAP ABAP Server & ABAP. If exploited, this vulnerability allows attackers to hijack the application.

Input sanitization

SAP also pushed security updates for enterprise users related to CVE-2021-38176, an improper input sanitization vulnerability impacting a range of SAP applications, including SAP S/4HANA, SAP LTRS for S/4HANA, SAP LT Replication Server, SAP Test Data Migration Server, and SAP Landscape Transformation.

This issue was found in the SAP NZDT Mapping Table Framework and was originally patched in September 2021.

Read more of the latest enterprise security news

“An authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to [the] backend database,” reads the bug description.

“On successful exploitation, the threat actor could completely compromise confidentiality, integrity, and availability of the system.”

Denial of service

An updated security note was also released in relation to the browser control Google Chromium delivered with SAP Business Client, impacting version 6.5.

In addition, SAP has resolved CVE-2021-37714, a critical DoS issue in SAP Commerce (CVSS 7.5); multiple vulnerabilities related to improper input validation in SAP 3D Visual Enterprise Viewer (CVE-2021-42068, CVE-2021-42070, CVE-2021-42069, CVE-2021-42069); an XSS flaw in the web Intelligence service of the SAP BusinessObjects Business Intelligence platform (CVE-2021-42061); and CVE-2021-44233, a low-severity authorization bug in GRC Access Control.

The Daily Swig has reached out to SAP with additional queries, and we will update if and when we hear back.

YOU MIGHT ALSO LIKE Propane distributor Superior Plus admits ransomware breach