Security News > 2021 > March > SAP Patches Critical Flaws in MII, NetWeaver Products
SAP's March 2021 Security Patch Day updates include 9 new security notes, including two for critical vulnerabilities affecting the company's NetWeaver Application Server and Manufacturing Integration and Intelligence products.
This month's set of patches also includes 4 updates to previously released Patch Day security notes, including updates for two notes rated Hot News, which address a missing authorization check in Solution Manager and deliver the latest patches for the Chromium browser in Business Client.
The most severe of the newly released security notes addresses a code injection vulnerability in SAP MII. Tracked as CVE-2021-21480, the vulnerability features a CVSS score of 9.9.
Based on NetWeaver AS Java, SAP MII provides monitoring and data analysis capabilities, capturing data from production machinery and providing real-time information on performance and efficiency.
The second Hot News security note that SAP released on Tuesday addresses a missing authorization check in the Migration Service of NetWeaver AS Java.
Successful exploitation requires that the LDAP directory server enables unauthenticated bind and that SAP HANA has been configured to automatically create users and allow access based on LDAP authentication.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-09 | CVE-2021-21480 | Code Injection vulnerability in SAP Manufacturing Integration and Intelligence SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). | 8.8 |