Symptoms of CVE-2021-27616
CVE-2021-27616 : Information Disclosure
CVE-2021-27616 : Several vulnerabilities identified in SAP Business One for SAP HANA.(Business-One-Hana-Chef-Cookbook).
Business-one-hana-Chef-cookbook is used to install SAP Business One for SAP HANA which allows an attacker to exploit an insecure temporary backup path and to access information which would otherwise be restricted.
CVSS score as per SAP: 7.8; CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|Attack Vector (AV)||Local (L)|
|Attack Complexity (AC)||Low (L)|
|Privileges Required (PR)||Low (L)|
|User Interaction (UI)||None (N)|
|Scope (S)||Unchanged (U)|
|Confidentiality Impact (C)||High (H)|
|Integrity Impact (I)||High (H)|
|Availability Impact (A)||High (H)|
Software components affected:
SAP Business One for SAP HANA -> B1_ON_HANA : 9.0, 8.82, 9.1, 9.2, 9.3, 10.0
CVE-2021-27614 : Code Injection
Chef business-one-hana-chef-cookbook, used to install SAP Business One on SAP HANA allows attacker to inject code which could be executed by an application, thereby attacker controlling the application.
- CVSS: 7.3; CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Solution and workaround:
As a workaround, we can manually uninstall and reinstall the affected SAP Business one components, however as this is a temporary fix, SAP strongly recommends to apply solution mentioned in the This updated SAP Note.