CVE-2021-33684

EUVD-2021-20361

14.07.2021, 12:15

SAP NetWeaver AS ABAP and ABAP Platform, versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, allows an attacker to send overlong content in the RFC request type thereby crashing the corresponding work process because of memory corruption vulnerability. The work process will attempt to restart itself after the crash and hence the impact on the availability is low.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
sap	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Affected Products (NVD)

Vendor	Product	Version
sap	netweaver_abap	7.21
sap	netweaver_abap	7.21ext:ext
sap	netweaver_abap	7.22
sap	netweaver_abap	7.22ext:ext
sap	netweaver_abap	7.49
sap	netweaver_abap	7.53
sap	netweaver_abap	7.77
sap	netweaver_abap	7.81
sap	netweaver_application_server_abap	7.21
sap	netweaver_application_server_abap	7.21ext:ext
sap	netweaver_application_server_abap	7.22
sap	netweaver_application_server_abap	7.22ext:ext
sap	netweaver_application_server_abap	7.49
sap	netweaver_application_server_abap	7.53
sap	netweaver_application_server_abap	7.77
sap	netweaver_application_server_abap	7.81

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://launchpad.support.sap.com/#/notes/3032624

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506

https://launchpad.support.sap.com/#/notes/3032624

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506