CVE-2021-27603 : Security Advisory and Response

SAP NetWeaver AS for ABAP versions 731, 740, and 750 are affected by CVE-2021-27603, a vulnerability that allows an attacker to cause a Denial of Service attack by keeping work processes busy. Here's what you need to know about this CVE.

Understanding CVE-2021-27603

This section will provide insights into the vulnerability and its impact on SAP systems.

What is CVE-2021-27603?

The vulnerability in SAP NetWeaver AS for ABAP versions 731, 740, and 750 allows attackers to block all work processes, leading to Denial of Service and impacting system availability.

The Impact of CVE-2021-27603

The impact of this vulnerability is rated as Medium severity with a CVSS base score of 6.5. It has a high availability impact, with low privileges required for exploitation.

Technical Details of CVE-2021-27603

Let's delve into the technical aspects of the vulnerability.

Vulnerability Description

An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP versions 731, 740, and 750 allows work processes to be kept busy indefinitely, enabling attackers to trigger a Denial of Service attack.

Affected Systems and Versions

SAP NetWeaver AS for ABAP versions < 731, < 740, and < 750 are affected by this vulnerability.

Exploitation Mechanism

Attackers can exploit this vulnerability by invoking the SPI_WAIT_MILLIS function module multiple times, leading to a complete block of work processes.

Mitigation and Prevention

Learn how to mitigate the risks associated with CVE-2021-27603.

Immediate Steps to Take

It is recommended to apply relevant patches and security updates provided by SAP to address this vulnerability promptly.

Long-Term Security Practices

Implementing robust security measures and monitoring for anomalous activities can help prevent and detect similar vulnerabilities in the future.

Patching and Updates

Regularly update SAP NetWeaver AS for ABAP to the latest secure versions to safeguard your system against known vulnerabilities.