Denial of Service in SAP NetWeaver AS ABAP

Impact on Business

A remote attacker can block all work processes of an SAP System running on SAP NetWeaver AS ABAP. This has a very high negative impact on the availability of the system and its business applications.

Vulnerability Details

The remote-enabled function module SPI_WAIT_MILLIS blocks a work process for a certain period of time whose length can be controlled by the caller of the function module. A malicious user could call the function module multiple times from external in parallel to block several or all work processes and thus making the system unavailable. The vulnerable function module is shipped with the SAP_BASIS software component and is included in the SAP Process Monitoring Infrastructure(PMI) application component(BC-SRV-PMI).

Solution

SAP has released SAP Note 3028729 which provides patched versions of the affected components.

The patches can be downloaded from https://me.sap.com/notes/3028729

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

02/01/2021: Vulnerability reported to vendor.
02/04/2021: Vendor provides incident number.
04/13/2021: Patch released.

References

Back to Advisories

Advisory Information

Public Release Date: 04/13/2021
Security Advisory ID: ONAPSIS-2024-0048
Vulnerability Submission ID: 881
Researcher(s): Thomas Fritsch

Vulnerability Information

Vendor: SAP
Affected Components:
- SAP_BASIS 702
- SAP_BASIS 730
- SAP_BASIS 731
- SAP_BASIS 740
- SAP_BASIS 750
- SAP_BASIS 751
- SAP_BASIS 752
  (Check SAP Note 3028729 for detailed information on affected releases)
Vulnerability Class: [CWE-770: Allocation of Resources Without Limits or Throttling](https://cwe.mitre.org/data/definitions/770.html)
CVSS v3 score: 6,5
(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Risk Level: Medium
Assigned CVE: [CVE-2021-27603](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27603)
Vendor patch Information: [SAP Security Note 3028729](https://me.sap.com/notes/3028729)

Affected Components Description

The SAP_BASIS component contains the ABAP part of the technical layer of an SAP NetWeaver Application Server ABAP(SAP NW AS ABAP). It represents the technical foundation for all SAP applications and business processes that are based on SAP NW AS ABAP.

About our Research Labs

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing SAP Business Technology Platform (BTP)

The Book on Cybersecurity for SAP

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

Your S/4HANA Cloud Journey