CVE-2021-33690
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Development Infrastructure Component Build Service that allows authenticated attackers to send crafted queries to perform proxy attacks. This could lead to complete compromise of sensitive server data and impact availability. Organizations running affected SAP NetWeaver versions with the Build Service component are vulnerable.
💻 Affected Systems
- SAP NetWeaver Development Infrastructure Component Build Service
📦 What is this software?
Netweaver Development Infrastructure by Sap
View all CVEs affecting Netweaver Development Infrastructure →
Netweaver Development Infrastructure by Sap
View all CVEs affecting Netweaver Development Infrastructure →
Netweaver Development Infrastructure by Sap
View all CVEs affecting Netweaver Development Infrastructure →
Netweaver Development Infrastructure by Sap
View all CVEs affecting Netweaver Development Infrastructure →
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing data theft, lateral movement to internal systems, and denial of service impacting business operations.
Likely Case
Unauthorized access to internal systems and services, data exfiltration from the SAP server and connected systems.
If Mitigated
Limited impact to isolated systems with proper network segmentation and access controls.
🎯 Exploit Status
Requires authenticated access to the Build Service. SSRF vulnerabilities are commonly exploited once details are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3072955
Vendor Advisory: https://launchpad.support.sap.com/#/notes/3072955
Restart Required: Yes
Instructions:
1. Download SAP Note 3072955 from SAP Support Portal. 2. Apply the patch following SAP's standard patching procedures. 3. Restart the affected SAP NetWeaver services.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to SAP NetWeaver Build Service to only trusted systems
Access Control
allImplement strict authentication and authorization controls for Build Service access
🧯 If You Can't Patch
- Isolate the SAP NetWeaver system from internet access and restrict internal network connectivity
- Implement web application firewall (WAF) rules to block SSRF patterns and monitor for suspicious requests
🔍 How to Verify
Check if Vulnerable:
Check SAP system version and verify if Build Service component is installed and running on affected versions (7.11-7.50)Check Version:
Check SAP system version via transaction SM51 or SMICMVerify Fix Applied:
Verify SAP Note 3072955 has been applied successfully through SAP transaction SNOTE📡 Detection & Monitoring
Log Indicators:
- Unusual outbound requests from SAP server
- Multiple failed authentication attempts to Build Service
- Suspicious query patterns in Build Service logs
Network Indicators:
- Unexpected outbound connections from SAP server to internal systems
- Traffic patterns indicating proxy behavior
SIEM Query:
source="sap_logs" AND ("Build Service" OR "NWDI") AND ("crafted query" OR "unusual request" OR "SSRF")