Security News > 2021 > March > SAP Patches Critical Flaws in MII, NetWeaver Products

SAP Patches Critical Flaws in MII, NetWeaver Products
2021-03-10 11:40

SAP's March 2021 Security Patch Day updates include 9 new security notes, including two for critical vulnerabilities affecting the company's NetWeaver Application Server and Manufacturing Integration and Intelligence products.

This month's set of patches also includes 4 updates to previously released Patch Day security notes, including updates for two notes rated Hot News, which address a missing authorization check in Solution Manager and deliver the latest patches for the Chromium browser in Business Client.

The most severe of the newly released security notes addresses a code injection vulnerability in SAP MII. Tracked as CVE-2021-21480, the vulnerability features a CVSS score of 9.9.

Based on NetWeaver AS Java, SAP MII provides monitoring and data analysis capabilities, capturing data from production machinery and providing real-time information on performance and efficiency.

The second Hot News security note that SAP released on Tuesday addresses a missing authorization check in the Migration Service of NetWeaver AS Java.

Successful exploitation requires that the LDAP directory server enables unauthenticated bind and that SAP HANA has been configured to automatically create users and allow access based on LDAP authentication.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/F_swV98_auY/sap-patches-critical-flaws-mii-netweaver-products

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-03-09 CVE-2021-21480 Code Injection vulnerability in SAP Manufacturing Integration and Intelligence
SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment).
network
low complexity
sap CWE-94
critical
9.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
SAP 401 112 969 240 97 1418