A note with CVSS 10.0 for component BC-JAS-JMS was released by SAP on 14.09.2021. The correction/advisory 3078609 was described with "[CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)" and affects the system type Java.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is missing authorization check within Java.
Missing authority checks are still the most common security defect related to authorizations in custom code. Since SAP uses an explicit authorization model, an authority checks must be coded in order to be executed. If an explicit check is not coded, all users have access. This type of vulnerability not only exists in SAP standard it also exists in customer coding. Check your custom developments for vulnerabilities that pose a risk to your systems. SecurityBridge helps detect code vulnerabilities before they are implemented in production.
Risk specificationJMS Connector Service does not perform necessary authorization checks, resulting in a possible escalation of privileges by unauthenticated users.
The missing authorization checks are now being properly enforced. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "SAP provides also a temporary workaround, described in SAP Note 3093977. The workaround avoids the immediate system restart as it is an online deployment.".
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- 10.0 [Multiple CVE IDs] Missing Authentication Check in SAP Solution Manager (JAVA stack)
- 9.8 [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib
- 9.6 [CVE-2021-21481] Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService)
- 9.6 [CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation
- 9.6 [CVE-2020-6320] Improper Access Control in SAP Marketing (Mobile Channel Servlet)