Login Sign Up

CVE-2021-21484

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass LDAP authentication in SAP HANA Database when the LDAP directory server is configured to permit unauthenticated binds. Attackers can gain unauthorized access to the database without valid credentials. Organizations using SAP HANA Database version 2.0 with LDAP authentication are affected.

💻 Affected Systems

Products:
  • SAP HANA Database
Versions: Version 2.0
Operating Systems: All supported platforms
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when LDAP authentication is configured and the LDAP directory server allows unauthenticated binds.

📦 What is this software?

Hana by Sap

View all CVEs affecting Hana →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the SAP HANA database, allowing attackers to access, modify, or exfiltrate sensitive data, execute arbitrary commands, or disrupt operations.

🟠

Likely Case

Unauthorized access to database contents, potentially leading to data theft, privilege escalation, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, monitoring, and access controls are implemented alongside patching.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the SAP HANA instance and knowledge of LDAP configuration weaknesses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Note 3017378

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3017378

Restart Required: Yes

Instructions:

1. Download and apply SAP Note 3017378. 2. Restart SAP HANA services. 3. Verify LDAP directory server does not allow unauthenticated binds.

🔧 Temporary Workarounds

Disable LDAP unauthenticated binds

all

Configure the LDAP directory server to reject unauthenticated bind requests.

# LDAP server configuration varies by vendor - consult your LDAP server documentation

Use alternative authentication

all

Temporarily switch to database-native authentication instead of LDAP.

# Modify SAP HANA authentication configuration to use internal authentication

🧯 If You Can't Patch

  • Implement strict network access controls to limit access to SAP HANA Database ports
  • Enable comprehensive logging and monitoring for authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check if SAP HANA version is 2.0 and LDAP authentication is configured. Verify LDAP server allows unauthenticated binds using LDAP testing tools.

Check Version:

SELECT * FROM M_DATABASE;

Verify Fix Applied:

Confirm SAP Note 3017378 is applied and test authentication with invalid credentials to ensure it fails.

📡 Detection & Monitoring

Log Indicators:

  • Failed authentication attempts from unexpected sources
  • Successful logins without proper authentication events in LDAP logs

Network Indicators:

  • LDAP bind requests without credentials to the directory server
  • Database connections from unauthorized IP addresses

SIEM Query:

source="hana_audit_log" AND (event="authentication_failure" OR event="authentication_success") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2021-21484
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-863
Published: March 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21484, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)