The SAP Product Security Response Team emphasized a single, critical risk, potential remote code execution software vulnerability that affects a kernel component in the widely used high-level programming language ABAP. In the past, CISA (Cybersecurity & Infrastructure Security Agency) has confirmed that the SAP platform is a magnet for malicious cyber threats.
About SAP And ABAP
SAP SE (System Analysis Program Development), a German blue-chip company employing over 100,000 personnel, is one of the leading software vendors in the business process management sector. SAP established, “the global standard for enterprise resource planning (ERP) software.” The ABAP (Advanced Business Application Programming) programming language is designed by SAP and is utilized in the customization of SAP ERP platforms. ABAP is used by developers in the development of the R3 platform. The R3 platform deals with billing, human resource management, resource coordination et al. SAP harbors more than 230 million cloud customers on its business platforms and is, “the largest cloud portfolio of any provider.”
Remote Code Execution Risk
The remote code execution risk (CVE-2021-40501) is an “Improper authorization” security flaw affecting certain versions of the ABAP platform that can allow a remote attacker to compromise a vulnerable system. The SAP Security Patch Day notes state that the vulnerability has a CVSS score of 9.6, deeming it ‘Hot News.’ A very high CVSS (a vulnerability scoring system) vulnerability score of 9.6 indicates that this instance could pose a legitimate threat to the industry at large.
Technical Details
The vulnerability allows a remote attacker to compromise an affected system and exists due to missing authorization checks within the SAP ABAP Platform Kernel. A remote non-authenticated attacker can send a specially crafted request to the application and execute arbitrary code on the system.
Vulnerable Software Versions
The following versions of the ABAP programming language are vulnerable to remote code execution risk in SAP ABAP; ABAP platform; 7.77, 7.81, 7.85, 7.86
Important User Information
It is crucial for administrators and users to know that fixes have been released that address any threats to the SAP landscape. These fixes should be applied as swiftly as possible. SAP’s software vulnerability report states that “SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.” The Support Portal can be accessed here.