Advisory
SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 2960815
was released on
08.09.2020 and deals with
"[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer" within SAP 3D Visual Enterprise .
We advice you to follow the instructions, to resolve
denial of service (dos)
with a
medium potential for exploitation
in component CA-VE-VEV.
According to SAP Security Advisory team a workaround exists. It is advisable to implement the correction as part of maintenance.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specification
SAP 3D Visual Enterprise Viewer does not validate user inputs properly, allowing an unauthenticated user to open manipulated files received from untrusted sources resulting in the application to crash and become temporarily unavailable. The file format details along with their CVE relevant information can be found below: Rhinoceros 3D Model (.3dm) - CVE-2020-6322, CVE-2020-6327, CVE-2020-6330, CVE-2020-6333 Windows Bitmap (.bmp) - CVE-2020-6346, CVE-2020-6350, CVE-2020-6339, CVE-2020-6356 Windows Bitmap (.dib) - CVE-2020-6360 Windows Bitmap (.rle) - CVE-2020-6361 Computer Graphics Metafile (.cgm) - CVE-2020-6328 Encapsulated PostScript (.eps) - CVE-2020-6341, CVE-2020-6343 Autodesk FBX (.fbx) - CVE-2020-6351, CVE-2020-6352, CVE-2020-6358 Graphics Interchange Format (.gif) - CVE-2020-6348, CVE-2020-6349 Radiance High Dynamic Range (.hdr) - CVE-2020-6347, CVE-2020-6337 HPGL (.hpgl, .hpg) - CVE-2020-6331, CVE-2020-6332, CVE-2020-6335, CVE-2020-6314 HPGL (.plt) - CVE-2020-6359 Portable Document Format (.pdf) - CVE-2020-6344 PiCture eXchange (.pcx) - CVE-2020-6340, CVE-2020-6336 Right Hemisphere Binary (.rh) - CVE-2020-6338 SketchUp Document (.skp) - CVE-2020-6334, CVE-2020-6353, CVE-2020-6329, CVE-2020-6354 TARGA (.tga) - CVE-2020-6345, CVE-2020-6355 Universal 3D (.u3d) - CVE-2020-6342, CVE-2020-6321, CVE-2020-6357Solution
Update the component SAP 3D Visual Enterprise Viewer, which now properly validates the input files. Alternativly, the consulting team has proposed the following: "None". The suggestion may be considered, as a workaround or compensating mitigation. We recommend installing/applying the correction wherever possible and as soon as possible. Base your decision on whether or not to apply the patch on your companies and systems risk perspective and consider the provided CVSS 4.3 score.
- 9.8 Multiple Vulnerabilities in SAP Data Services
- 7.5 [CVE-2021-38177] Null Pointer Dereference vulnerability in SAP CommonCryptoLib
- 6.5 [CVE-2021-27603] Denial of Service (DoS) in SAP NetWeaver AS of ABAP
- 6.5 [CVE-2020-26826] Unrestricted File Upload vulnerability in SAP NetWeaver Application Server for Java (Process Integration Monitoring)
- 6.5 [CVE-2021-21488] Insecure deserialisation in SAP NetWeaver Knowledge Management
