Description
Symptom
This SAP security note addresses improper input validation when below file formats are opened in SAP 3D Visual Enterprise Viewer.
When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
The file format details along with their CVE relevant information can be found below.
Improper Input Validation
Graphics Interchange Format (.gif, 2d.x3d) – CVE-2021-42068
Jupiter Tessellation (.jt, DKReader.x3d) – CVE-2021-42070, CVE-2021-42069
Tagged Image File Format (.tif, 2d.x3d) – CVE-2021-42069
Other Terms
Improper Input Validation, SAP 3D Visual Enterprise Viewer, CVE-2021-42068, CVE-2021-42070, CVE-2021-42069, CVE-2021-42069
Reason and Prerequisites
Insufficient input validation when above mentioned file formats are open in SAP 3D Visual Enterprise Viewer
Solution
This issue is fixed in the patch listed in the “Support Packages & Patches” section below. Fixes for all 3 linked CVE-IDs are comprised in the same SP Patch level.
- The following file formats have been fixed with additional validation when they are opened in SAP 3D Visual Enterprise Viewer:
- Graphics Interchange Format (.gif, 2d.x3d)
- Jupiter Tessellation (.jt, DKReader.x3d)
- Tagged Image File Format (.tif, 2d.x3d)
The SAP Note 3034457 provides release information about SAP 3D Visual Enterprise Viewer 9.0 FP12.
Available fix and Supported packages
VE_VIEWER_COMPLETE
CVSS
Score:4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Exploit
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/3121165
TAGS
Improper Input Validation, SAP 3D Visual Enterprise Viewer, CVE-2021-42068, CVE-2021-42070, CVE-2021-42069, CVE-2021-42069
