SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3077635
was released on
12.10.2021 and deals with
"[CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices" within SAP Success Factors.
We advice you to follow the instructions, to resolve
denial of service (dos) information disclosure
high potential for exploitation
in component LOD-SF-FWK.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as monthly patch process.
Risk specificationAn authenticated attacker could leverage a method in the Android implementation of the SuccessFactors mobile application to consume all available system resources leading to a client-side denial-of-service. This method can also be used to get data from other running applications, leading to a denial of service and an Information Disclosure.
The application code has been altered to no longer be susceptible to this type of attack.
The advisory is valid for
- nan 5