On 09.03.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Java.
SAP Note 2978151 addresses "Reverse tabnabbing issue in Unified Rendering based frameworks in NetWeaver Application Server Java" to prevent reverse tabnabbing with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example
to replace it with a phishing site. The following figure shows a brief illustration:
While the user was originally on the correct page there is a high risk they will not notice that it has been changed to a phishing site.
Risk specificationApplications based on SAP Unified Rendering allow an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation.
This note is a technical prerequisite for other UI Frameworks, the final fix itself will be delivered with the UI-Frameworks. Note you must ensure to update the corresponding SCA provided by:
- Implement note 2976947 first and ensure to install the corresponding AJAX-RUNTIME.SCA provided by this note
- Implement note 2977001 first and ensure to install framework.sca and framework-ext.sca provided by this note
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- AJAX-RUNTIME 7.20
- AJAX-RUNTIME 7.30
- AJAX-RUNTIME 7.31
- AJAX-RUNTIME 7.40
- AJAX-RUNTIME 7.50
- FRAMEWORK 7.10-7.11 4
- FRAMEWORK 7.20 3
- FRAMEWORK 7.30 3
- FRAMEWORK 7.31 3
- FRAMEWORK 7.40 3
- FRAMEWORK 7.50 3
- FRAMEWORK-EXT 7.30 2
- FRAMEWORK-EXT 7.31 2
- FRAMEWORK-EXT 7.40 2
- FRAMEWORK-EXT 7.50 2
- SAP_JTECHF 7.00 2
- SAP_JTECHS 7.00 3
- 4.7 [CVE-2021-21478] Reverse Tabnabbing vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP)
- 4.7 Reverse Tabnabbing vulnerability within SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML)
- 4.7 [CVE-2021-21491] Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on Web Dynpro Java)
- 4.7 Reverse TabNabbing vulnerability in SAP NetWeaver Application Server Java (Applications based on HTMLB for Java)
- 4.1 Reverse Tabnabbing vulnerability within SAP CRM WebClient UI