SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3000897
was released on
09.02.2021 and deals with
"[CVE-2021-21475] Directory Traversal vulnerability in SAP NetWeaver Master Data Management 7.1" within Java.
We advice you to follow the instructions, to resolve
directory traversal (read)
medium potential for exploitation
in component MDM-FN-MDS-SEC.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as part of maintenance.
Risk specificationThrough specific circumstances SAP NetWeaver Master Data Management (MDM) allows an unauthenticated attacker, due to insufficient validation, to exploit path information provided by the users. The attacker could read the content of arbitrary files and expose sensitive data.
A restriction is added in the MDM server settings (mds.ini file) to restrict access only to files inside directories but not subdirectories.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- MDM_CLIX 710 3
- MDM_CLIX 710.750 2
- MDM_CONSOLE 710 3
- MDM_CONSOLE 710.750 2
- MDM_DATA_MANAGER 710 3
- MDM_DATA_MANAGER 710.750 2
- MDM_IMPORT_MANAGER 710 3
- MDM_IMPORT_MANAGER 710.750 2
- MDM_IMP_SRV 710 3
- MDM_IMP_SRV 710.750 2
- MDM_LANGUAGE_SELECTOR 710 2
- MDM_LANGUAGE_SELECTOR 710.750 2
- MDM_SERVER 7.1 3
- MDM_SERVER 710.750 2
- MDM_SHARED_INSTALL_CONTENT 710 3
- MDM_SHARED_INSTALL_CONTENT 710.750 2
- MDM_SYNDICATOR 710 3
- MDM_SYNDICATOR 710.750 2
- MDM_SYND_SRV 710 3