Vulnerability Name: CVE-2021-27606 (CCN-203362) Assigned: 2021-06-08 Published: 2021-06-08 Updated: 2022-10-31 Summary: SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncOAMParamStore() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. CVSS v3 Severity: 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Complete
Vulnerability Type: CWE-125 Vulnerability Consequences: Denial of Service References: Source: MITRECVE-2021-27606 sap-cve202127606-dos(203362) SAP Support Note 3020209 https://launchpad.support.sap.com/#/notes/3020104 SAP Security Patch Day - June 2021 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 Vulnerable Configuration: Configuration 1 :cpe:/a:sap:netweaver_as_abap:krnl32nuc_7.22:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl32nuc_7.22ext:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl64nuc_7.22:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl64nuc_7.49:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl64uc_8.04:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:kernel_7.22:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:kernel_7.49:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:kernel_8.04:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.22:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.22ext:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.49:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.53:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:krnl64uc_7.73:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:kernel_7.53:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:kernel_7.73:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:kernel_7.77:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:kernel_7.81:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:kernel_7.82:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:kernel_7.83:*:*:*:*:*:*:* BACK
sap netweaver as abap krnl32nuc_7.22
sap netweaver as abap krnl32nuc_7.22ext
sap netweaver as abap krnl64nuc_7.22
sap netweaver as abap krnl64nuc_7.22ext
sap netweaver as abap krnl64nuc_7.49
sap netweaver as abap krnl64uc_8.04
sap netweaver as abap kernel_7.22
sap netweaver as abap kernel_7.49
sap netweaver as abap kernel_8.04
sap netweaver as abap krnl64uc_7.22
sap netweaver as abap krnl64uc_7.22ext
sap netweaver as abap krnl64uc_7.49
sap netweaver as abap krnl64uc_7.53
sap netweaver as abap krnl64uc_7.73
sap netweaver as abap kernel_7.53
sap netweaver as abap kernel_7.73
sap netweaver as abap kernel_7.77
sap netweaver as abap kernel_7.81
sap netweaver as abap kernel_7.82
sap netweaver as abap kernel_7.83
Denotes that component is vulnerable