SAP NetWeaver AS Java and AS ABAP Multiple Vulnerabilities (Apr 2021)

medium Nessus Plugin ID 148573
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote SAP NetWeaver AS Java server may be affected by multiple vulnerabilities.

Description

The version of SAP Netweaver Application Server for Java installed on the remote host may be affected by multiple vulnerabilities, including the following:

- An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.
(CVE-2021-21485)

- SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet. (CVE-2021-27598)

- SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a cross-site scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. (CVE-2021-27601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649

https://launchpad.support.sap.com/#/notes/3027937

https://launchpad.support.sap.com/#/notes/3025637

https://launchpad.support.sap.com/#/notes/2963592

https://launchpad.support.sap.com/#/notes/3001824

https://launchpad.support.sap.com/#/notes/3028729

Plugin Details

Severity: Medium

ID: 148573

File Name: sap_netweaver_as_apr_2021.nasl

Version: 1.5

Type: remote

Family: Web Servers

Published: 4/15/2021

Updated: 4/22/2021

Dependencies: sap_netweaver_as_web_detect.nbin

Configuration: Enable paranoid mode

Risk Information

CVSS Score Source: CVE-2021-27598

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 4/13/2021

Vulnerability Publication Date: 4/13/2021

Reference Information

CVE: CVE-2021-21485, CVE-2021-21492, CVE-2021-27598, CVE-2021-27601, CVE-2021-27603

IAVA: 2021-A-0165