On 14.12.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Landscape Management.
SAP Note 3107332 addresses "Missing Authorization Check in SAP Landscape Management" to prevent missing authentication check with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationSAP Landscape Management 3.0 SP 20 PL1 and SP 20 PL2 do not perform necessary authorization checks when executing a custom operation for an authenticated user, resulting in escalation of privileges.
The SAP Landscape Management application has been fixed to now properly check for authorization when executing a custom operation.
The advisory is valid for
- VCM 3.00 4
- 10.0 [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
- 10.0 [CVE-2020-26829] Missing Authentication Check in SAP NetWeaver AS JAVA (P2P Cluster Communication)
- 9.8 [CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)
- 9.0 [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
- 8.6 [CVE-2020-6235] Missing authentication check in SAP Solution Manager (Diagnostics Agent )