On 09.02.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within BI/BO platform.
SAP Note 2935791 addresses "[CVE-2021-21444] Clickjacking vulnerability in SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad)" to prevent clickjacking with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationSAP Business Object allows multiple X-Frame-Options entries in the response headers, which may not be predictably treated by all user agents, resulting in nullify of the added XFO header leading to a Clickjacking attack.
Duplication of "X-Frame-Options" header removed from the login pages of CMC and BI Launchpad applications.
SAP BusinessObjects Business Intelligence suite is an analytics platform allowing SAP customers to make better decisions based on their business data. SAP BI is a module meant for producing business insights and expands its power in combination with HANA DB and also exists as BW/4 HANA. Due to processing sensitive business data, the Data security is of utmost importance.
The advisory is valid for
- 5.4 Clickjacking vulnerability in Cloud Integration Content of SAP Process Integration
- 5.4 Clickjacking vulnerability in SAP Process Integration (Integration Builder Framework)
- 4.6 Clickjacking vulnerability in Runtime Workbench of SAP Process Integration
- 4.3 Whitelist service for Clickjacking Framing Protection in AS ABAP
- 0.0 Clickjacking vulnerability in Adapter Runtime of SAP Process Integration