CVE-2021-27616 : Multiple vulnerabilities in SAP Business One

SAP Security
SAP Security

Symptoms of CVE-2021-27616

CVE-2021-27616 : Information Disclosure

CVE-2021-27616 : Several vulnerabilities identified in SAP Business One for SAP HANA.(Business-One-Hana-Chef-Cookbook).
Business-one-hana-Chef-cookbook is used to install SAP Business One for SAP HANA which allows an attacker to exploit an insecure temporary backup path and to access information which would otherwise be restricted.

CVSS

CVSS score as per SAP: 7.8; CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

NameValue
Attack Vector (AV)Local (L)
Attack Complexity (AC)Low (L)
Privileges Required (PR)Low (L)
User Interaction (UI)None (N)
Scope (S)Unchanged (U)
Confidentiality Impact (C)High (H)
Integrity Impact (I)High (H)
Availability Impact (A)High (H)
CVSS v3.0 Base Vector

Software components affected:

SAP Business One for SAP HANA -> B1_ON_HANA : 9.0, 8.82, 9.1, 9.2, 9.3, 10.0

CVE-2021-27614 : Code Injection

Chef business-one-hana-chef-cookbook, used to install SAP Business One on SAP HANA allows attacker to inject code which could be executed by an application, thereby attacker controlling the application.

  • CVSS: 7.3; CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Solution and workaround:

As a workaround, we can manually uninstall and reinstall the affected SAP Business one components, however as this is a temporary fix, SAP strongly recommends to apply solution mentioned in the This updated SAP Note.