SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3249990
was released on
08.11.2022 and deals with
"[CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5" within ABAP, Java.
We advice you to follow the instructions, to resolve
denial of service (dos)
hot news potential for exploitation
in component CA-UI5-VTK-VIT.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as monthly patch process .
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specificationUPDATE 16th November 2022: CVE-2021-20223 was withdrawn by its CNA as further investigation showed that it was not a security issue. Hence the severity of the security note has been reduced from 'Very High' to 'High'. The SAPUI5 framework using SQLite allows an unauthenticated user to manipulate a Unicode 61 tokenizer resulting in a Denial of service vulnerability on the browser showing SAPUI5 applications.
The issue was fixed with the latest versions of SQLite and fixed within the patch releases mentioned in the note.