You are not using a modern browser version. As a result, the website may not be displayed correctly. You can find more information here.

IT Security Isn’t Important! Right?

Table of Contents

As an IT manager or user, you have an obligation to act. Why? See for yourself:…

We are living in exciting times. Times that call for action as never before – both in a professional and personal context. One of the topics that amazingly is given short shrift all too often is IT security. After all, it’s not important. It will take care of itself. Just like updates. They’re sent out by the manufacturers automatically, aren’t they? But what does this mean exactly? Where is the sticking point?

The global IT environments are no longer based exclusively on physical machines in an in-house computing center. In fact, they are often no longer on company premises at all, or even in the same country. They are distributed all over in the computing centers of various providers. For that reason, opportunities abound for losing data, falling victim to attacks or losing access to parts of environments. But how can one overcome this challenge?

In our new Security Blog series – starting today, we would like to keep you informed about the latest security vulnerability and their updates. Further on, in a special series we will also explore new security topics in greater detail as part of ‘technical deep dives’.

In these we will cover the following developers: SAP, Microsoft, Citrix, VMWare, Pulse Secure, Juniper, IBM, Oracle, Suse & Avantra.

At the beginning of our series, you will gain an overview of the security vulnerabilities of the month of June 2021:

SAP

CVE-2021-27602 – Remote Code Execution Vulnerability

Base Score 9.9

Affected component: SAP Commerce

This vulnerability is from April 2021 and was updated this month. It allows third parties to gain easy access to relevant data. We recommend that you patch this vulnerability as soon as possible.

CVE-2021-27610 – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform

Base Score 9.0

Affected component: SAP NetWeaver ABAP Server and ABAP platform

The ABAP Server does not differentiate as to whether communication via RFC or http is taking place between the application server in the same SAP environment or with a server outside the environment. Attackers are therefore able to read ‘credentials’ from internal communication. Multiple other attack scenarios are thus conceivable.

We recommend that you patch this vulnerability immediately!

CVE-2021-27635 – Missing XML Validation in SAP NetWeaver AS for Java

Base Score 8.7

Affected component: SAP NetWeaver AS for Java

This gap is critical, as the attack with an authenticated user is capable of connecting through the network as an administrator and injecting a prepared XML file. In this way the attacker can read any file in the system and in some cases even cause system failures.

SUSE

SUSE-SU-2021:1860-1 and SUSE-SU-2021:1830-1 – Security Update for libwepb

Base Score 9.1/9.8

Affected component: libwebp

In versions of libwebp before 1.0.1 there is a vulnerability that can be exploited.

Please patch this vulnerability immediately upon using the relevant component.

SUSE-SU-2021:1646-1 and SUSE-SU-2021:1651-1 – Security update for graphviz

Base Score 9.8

Affected component: graphviz

In Graphviz graph visualization tools the ability exists to generate a buffer overflow, which allows attackers to execute code remotely or carry out a DoS attack.

Please patch this vulnerability immediately upon using this component.

IBM

CVE-2021-26296 – Apache MyFaces is ulnerable to cross-site request forgery

Base Score 8.8

Affected component: Apache MyFaces

In the component Apache MyFaces there is a vulnerability that allows spoofing of queries via cross-site attacks. Prepared http requests can use user queries to run other actions.

If you are using this component, you should look at this issue.

CVE-2021-28918 / CVE-2021-29418 / CVE-2021-23334 – node.js netmask module vulnerabilities

Base Score 9.1-9.8

Affected component: node.js module

The node.js module is susceptible to the spoofing of server requests. In addition, attackers can circumvent remote security restrictions and also execute code.

We recommend that you download the relevant updates and patch the vulnerabilities.

CVE-2021-23978 / CVE-2021-23954 / CVE-2021-23965 / CVE-2021-23964 / CVE-2021-23987 – Multiple vulnerabilities in Firefox

Base Score 8.8-9.8

Affected component: Firefox

Multiple vulnerabilities in Firefox allow attackers to run code remotely.

If you are using this product, you should download the current updates.

CVE-2021-24122 – Multiple Apache Tomcat vulnerabilities

Base Score 8.2

Affected component: Apache Tomcat

Because of a vulnerability in Tomcat, attackers can steal sensitive data. This operates through a targeted attack with prepared queries.

Please secure your Tomcat environment.

CVE-2021-24122 – Docker could allow a remote authenticated attacker to gain elevated privileges on the system

Base Score 8.0

Affected component: Docker

By using prepared queries, an attacker can increase their privileges remotely if they are using the userns-remap option.

Please patch this vulnerability immediately upon using the relevant product.

Pulse Secure

CVE-2021-22908 – Pulse Connect Secure buffer overflow vulnerability

Base Score 8.5

Affected component: Pulse Secure Connect VPN

Because of a vulnerability in the product Pulse Secure Connect VPN, a buffer overflow can be generated.

Please patch this vulnerability soon.

VMWare

CVE-2021-21985 / CVE-2021-21986 – VMWare vCenter remote code execution vulnerabilities

Base Score 9.8

Affected component: vCenter

Multiple vulnerabilities in VMWare vCenter allow attackers to run remote code.

We recommend that you patch this vulnerability immediately!

If you have any questions or are not sure how to handle the vulnerabilities named above, don’t hesitate to contact us.

We will help you to be more secure!

Contact us!

    I hereby consent to my personal data being collected, processed, and used for the purpose of processing my inquiry. I may revoke my consent anytime without stating my reasons for doing so. More information can be found in our privacy statement.

    Rufen Sie uns an
    +49 6173 3363 000

    Nagarro ES Newsletter
    Newsletter jetzt abonnieren!

    Besuchen Sie uns
    Alle Standorte ansehen

    Kostenloses Factsheet

    Was ist SAP S/4HANA?

    SAP S/4HANA Ebook Thumbnail

    Newsletter-Anmeldung

    Erhalten Sie alle zwei Monate wertvolles Insider-Wissen zu SAP, unserem Angebot und Veranstaltungen direkt in Ihr Postfach.

    Nagarro ES Newsletter Bild