A note with CVSS 7.7 for component HAN-DB-SEC was released by SAP on 09.03.2021. The correction/advisory 3017378 was described with "[CVE-2021-21484] Possible authentication bypass in SAP HANA LDAP scenarios" and affects the system type SAP HANA Platform.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is missing authentication check within SAP HANA Platform.
Risk specificationLDAP authentication in SAP HANA can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind. SAP HANA can be configured to automatically create users based on LDAP authentication which can result in the creation of new users by the attacker.
Incomplete authentication credentials are not forwarded by SAP HANA to the LDAP directory. Please update to these or later versions to benefit from the improvement:
- SAP HANA 2.0 SPS04: revision 48.04
- SAP HANA 2.0 SPS05: revision 54
The advisory is valid for
- HDB 2.00 3
- 10.0 [CVE-2020-26829] Missing Authentication Check in SAP NetWeaver AS JAVA (P2P Cluster Communication)
- 10.0 [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
- 9.8 [CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)
- 8.6 [CVE-2020-6235] Missing authentication check in SAP Solution Manager (Diagnostics Agent )
- 8.5 [CVE-2020-6294] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform