The CVSS severity score ranges from 2.4 to 9.9
In the last round of official monthly patches this year, SAP released fixes aimed at addressing a series of critical security vulnerabilities.
On Tuesday (December 14), the technology giant released a Security Consultation Details the latest batch of patches, including fixes for vulnerabilities that can be used for code execution, denial of service (DoS), and execution of cross-site scripting (XSS) attacks.
Must read Log4j: As the wild use continues, security experts call for urgent implementation of patches
A SAP consult Lists the code execution issues in the localized Chinese version of SAP Commerce v. 2001. A total of 11 related CVEs point to defects in XStream, which is a Java library for serializing objects into XML.
Prior to version 1.4.16, the library contained vulnerabilities that allowed attackers to manipulate streams to expose data, overload CPU resources, execute server-side forged requests (SSRF), and load and execute arbitrary code.
Overall, the CVSS severity score for code execution issues is close to the highest value of 9.9.
SAP has also resolved CVE-2021-44231-CVSS score 9.9-which is a code injection defect caused by a bug in the text extraction function of the SAP ABAP server and the translation tool part of the ABAP. If exploited, this vulnerability allows an attacker to hijack the application.
Input disinfection
SAP also pushed Security update For enterprise users related to CVE-2021-38176, this is an improper input cleanup vulnerability that affects a series of SAP applications, including SAP S/4HANA, SAP LTRS for S/4HANA, SAP LT Replication Server, and SAP Test Data Migration Server And SAP Landscape transformation.
This problem was discovered in the SAP NZDT mapping table framework and was originally patched in September 2021.
Read more latest corporate security news
“Authenticated users with certain specific permissions can remotely call the NZDT function modules listed in the solution section to perform manipulation queries or inject ABAP code to gain access [the] Back-end database,” read wrong description.
“After successful exploitation, threat actors may completely undermine the confidentiality, integrity and availability of the system.”
Denial of service
It also released updated security instructions related to the browser control Google Chromium provided with SAP Business Client, which affected version 6.5.
In addition, SAP has also resolved CVE-2021-37714, which is a key DoS issue in SAP Commerce (CVSS 7.5); multiple vulnerabilities related to improper input validation in SAP 3D Visual Enterprise Viewer (CVE-2021-42068, CVE -2021-42070, CVE-2021-42069, CVE-2021-42069); XSS vulnerability in the Web Intelligence service of SAP BusinessObjects Business Intelligence platform (CVE-2021-42061); and CVE-2021-44233, which is GRC access A low-severity authorization error in the control.
Drink it every day SAP has been contacted with other inquiries and we will update when we receive a response.
You might also like Propane distributor Superior Plus admits ransomware has been compromised
