CVE-2021-33705 – CVE-2021-33705 is a Server-Side Request Forgery... (How to Fix)

Q: What is the severity of CVE-2021-33705?

CVE-2021-33705 has a CVSS score of 8.1 (HIGH). CVE-2021-33705 is a Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Portal's Iviews Editor component that allows unauthenticated attackers to craft malicious URLs. When clicked by users, these URLs can trigger requests to internal or external servers, potentially accessing or modifying data accessible from the Portal. This affects SAP NetWeaver Portal versions 7.10 through 7.50.

📋 TL;DR

CVE-2021-33705 is a Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Portal's Iviews Editor component that allows unauthenticated attackers to craft malicious URLs. When clicked by users, these URLs can trigger requests to internal or external servers, potentially accessing or modifying data accessible from the Portal. This affects SAP NetWeaver Portal versions 7.10 through 7.50.

💻 Affected Systems

Products:

SAP NetWeaver Portal

Versions: 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

Operating Systems: All supported SAP platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Iviews Editor component specifically; requires user interaction via malicious URL click.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal systems, exfiltrate data, or perform internal network reconnaissance leading to lateral movement and data compromise.

🟠

Likely Case

Attackers exploit user trust to make unauthorized requests to internal services, potentially accessing portal-accessible data or internal APIs.

🟢

If Mitigated

With proper network segmentation and user awareness, impact is limited to specific isolated systems accessible from the portal.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction but is technically simple; public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3074844

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3074844

Restart Required: Yes

Instructions:

1. Download and apply SAP Security Note 3074844. 2. Restart affected SAP systems. 3. Verify patch application via transaction SNOTE.

🔧 Temporary Workarounds

Restrict Iviews Editor Access

all

Limit access to Iviews Editor component to trusted users only via SAP authorization controls.

Network Segmentation

all

Implement network controls to restrict outbound connections from SAP Portal servers.

🧯 If You Can't Patch

Implement strict user awareness training about clicking untrusted URLs
Deploy web application firewall (WAF) rules to detect and block SSRF patterns

🔍 How to Verify

Check if Vulnerable:

Check if SAP NetWeaver Portal version is 7.10-7.50 and Iviews Editor component is enabled.

Check Version:

Transaction SM51 or SM50 to check SAP system version

Verify Fix Applied:

Verify SAP Security Note 3074844 is applied via transaction SNOTE.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from SAP Portal servers
Multiple failed SSRF attempts in web server logs

Network Indicators:

Unexpected outbound connections from SAP Portal to internal services
HTTP requests with crafted URLs containing internal IPs

SIEM Query:

source="sap_portal" AND (url CONTAINS "localhost" OR url CONTAINS "127.0.0.1" OR url CONTAINS "internal")

📊 Metadata

CVE ID: CVE-2021-33705

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-918

Published: September 15, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2022/Jan/72 Mailing List,Third Party Advisory
https://launchpad.support.sap.com/#/notes/3074844 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 Patch,Vendor Advisory
http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2022/Jan/72 Mailing List,Third Party Advisory
https://launchpad.support.sap.com/#/notes/3074844 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33705, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Netweaver Portal by Sap

Netweaver Portal by Sap

Netweaver Portal by Sap

Netweaver Portal by Sap

Netweaver Portal by Sap

Netweaver Portal by Sap

Netweaver Portal by Sap

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Iviews Editor Access

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities