A note with CVSS 8.3 for component MDM-FN-MDS-SEC was released by SAP on 13.04.2021. The correction/advisory 3017908 was described with "[CVE-2021-21482] Information Disclosure in SAP NetWeaver Master Data Management" and affects the system type Java.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is information disclosure within Java.
Information disclosure is when an application fails to properly protect sensitive and confidential information from
parties that are not supposed to have access to the subject matter in normal circumstances.
Carefully review every information disclosure vulnerablity in regards to disclosure obligations post-GDPR for ‘Personal data’ under the Data Protection Act 2018.
Risk specificationWhen security guidelines and recommendations concerning administrative accounts of an SAP NetWeaver Master Data Management installation have not been thoroughly reviewed, a malicious user with access to the MDM Server subnet might try to find the password using a brute-force method.
SAP NetWeaver Master Data Management has been updated so that the configuration of locking has been enabled for all account roles. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "In order to minimize the risk of an attack being successful, a strong password policy for accounts of all types has to be enforced. Change all passwords of accounts with Admin role in accordance to the parameters described in this note.".
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- MDM_CLIX 710 4
- MDM_CLIX 710.750 3
- MDM_CONSOLE 710 4
- MDM_CONSOLE 710.750 3
- MDM_DATA_MANAGER 710 4
- MDM_DATA_MANAGER 710.750 3
- MDM_IMPORT_MANAGER 710 4
- MDM_IMPORT_MANAGER 710.750 3
- MDM_IMP_SRV 710 4
- MDM_IMP_SRV 710.750 3
- MDM_LANGUAGE_SELECTOR 710 3
- MDM_LANGUAGE_SELECTOR 710.750 3
- MDM_SERVER 7.1 4
- MDM_SERVER 710.750 3
- MDM_SHARED_INSTALL_CONTENT 710 4
- MDM_SHARED_INSTALL_CONTENT 710.750 3
- MDM_SYNDICATOR 710 4
- MDM_SYNDICATOR 710.750 3
- 9.0 [CVE-2020-6252] Information Disclosure in SAP Adaptive Server Enterprise (Cockpit)
- 8.9 Information Disclosure in Central Order
- 8.6 [CVE-2020-6264] Information Disclosure in SAP Commerce
- 8.2 [CVE-2021-21483] Information Disclosure in SAP Solution Manager
- 7.8 [CVE-2021-27613] Information Disclosure in SAP Business One (Chef business-one-cookbook)