CVE-2021-21446 – CVE-2021-21446 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-21446?

CVE-2021-21446 has a CVSS score of 7.5 (HIGH). CVE-2021-21446 is a denial-of-service vulnerability in SAP NetWeaver AS ABAP that allows unauthenticated attackers to crash or flood the service, preventing legitimate users from accessing it. This affects SAP NetWeaver AS ABAP versions 740 through 755. Organizations running these versions without patches are vulnerable to service disruption.

📋 TL;DR

CVE-2021-21446 is a denial-of-service vulnerability in SAP NetWeaver AS ABAP that allows unauthenticated attackers to crash or flood the service, preventing legitimate users from accessing it. This affects SAP NetWeaver AS ABAP versions 740 through 755. Organizations running these versions without patches are vulnerable to service disruption.

💻 Affected Systems

Products:

SAP NetWeaver Application Server ABAP

Versions: 740, 750, 751, 752, 753, 754, 755

Operating Systems: All supported OS for SAP NetWeaver

Default Config Vulnerable: ⚠️ Yes

Notes: All standard installations of affected versions are vulnerable; no special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of SAP NetWeaver AS ABAP, disrupting critical business operations dependent on SAP applications.

🟠

Likely Case

Service degradation or temporary unavailability affecting user productivity and business processes.

🟢

If Mitigated

Minimal impact with proper network segmentation and patching, though some resource consumption may still occur.

🌐 Internet-Facing: HIGH - Unauthenticated attackers can directly target exposed services without any credentials.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability description indicates unauthenticated exploitation is possible, suggesting relatively simple attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3000306

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3000306

Restart Required: Yes

Instructions:

1. Download SAP Note 3000306 from SAP Support Portal. 2. Apply the note using SAP Note Assistant or manual implementation. 3. Restart the affected SAP NetWeaver AS ABAP instances. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Network Access Control

all

Restrict network access to SAP NetWeaver AS ABAP services to trusted IP addresses only.

Use firewall rules to limit access to SAP ports (e.g., 3200, 3300, 3600) to authorized networks

Load Balancer Rate Limiting

all

Implement rate limiting on network devices or load balancers to prevent flooding attacks.

Configure rate limiting rules on your network infrastructure for SAP service ports

🧯 If You Can't Patch

Implement strict network segmentation to isolate SAP systems from untrusted networks
Deploy intrusion prevention systems (IPS) with DoS protection capabilities in front of SAP services

🔍 How to Verify

Check if Vulnerable:

Check SAP system version via transaction SM51 or SM50 and compare against affected versions list.

Check Version:

In SAP GUI, execute transaction SM51 or run 'disp+work' command at OS level.

Verify Fix Applied:

Verify SAP Note 3000306 is applied using transaction SNOTE or by checking system patch status.

📡 Detection & Monitoring

Log Indicators:

Unusual connection patterns to SAP services
Service restart events in system logs
High resource consumption alerts

Network Indicators:

Abnormal traffic spikes to SAP ports
Connection attempts from unexpected sources

SIEM Query:

source="sap_logs" AND (event_type="service_restart" OR connection_count > threshold)

📊 Metadata

CVE ID: CVE-2021-21446

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: January 12, 2021

Last Updated: November 21, 2024

🔗 References

https://launchpad.support.sap.com/#/notes/3000306 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 Vendor Advisory
https://launchpad.support.sap.com/#/notes/3000306 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Netweaver Application Server Abap by Sap

Netweaver Application Server Abap by Sap

Netweaver Application Server Abap by Sap

Netweaver Application Server Abap by Sap

Netweaver Application Server Abap by Sap

Netweaver Application Server Abap by Sap

Netweaver Application Server Abap by Sap

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Access Control

Load Balancer Rate Limiting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export