SAP Commerce Product Has VulnerabilityCompany Issues Patch, Remediation Advice
SAP has issued a patch and remediation advice for a critical remote code execution vulnerability in its SAP Commerce product that could, if exploited, disrupt the entire system.
The vulnerability, CVE-2021-21477, affects the e-commerce product if the rule engine extension is installed, SAP says. It received a CVSS score of 9.9 out of 10.
SAP Commerce organizes data, such as product information, to be propagated across communication channels.
"Due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups gain permissions to change DroolsRule ruleContents and thus gain unintended access to these scripting facilities," says Thomas Fritsch of Onapsis Research Labs.
This vulnerability could enable unauthorized users to inject malicious code into these scripts, resulting in a strong negative impact on the application’s confidentiality, integrity and availability, he adds.
The vulnerability affects SAP Commerce Cloud, versions 1808, 1811, 1905, 2005, and 2011.
Drools is an open-source, business logic integration platform used to define and execute a set of rules that can manage complex decision-making scenarios, Fritsch says.
Drools rules contain a ruleContent attribute that provides scripting facilities, he notes. Making changes to any ruleContent is limited to privileged users, such as admin and other members of the admin group.
Patch and Remediation
On Tuesday, SAP released security notes, including a patch that fixes the default permissions when initializing a new installation of SAP Commerce. For existing installations, SAP provided manual remediation steps.
"The good news is that for existing installations, these manual remediation steps can be used as a full workaround for SAP Commerce installations that cannot install the latest patch releases in a timely manner," Fritsch says.
A spokesperson for SAP could not immediately be reached for comment.
Other SAP Flaws
Last month, SAP said that an exploit of an authentication vulnerability, CVE-2020-6207, in SAP Solution Manager could lead to a compromise of other connected SAP applications (see: Researchers Identify SAP Flaw Exploit ).
In July 2020, cybersecurity experts identified a zero-day vulnerability, tracked as CVE-2020-6287, in SAP's NetWeaver Application Server (see: Users Urged to Patch Critical Flaw in SAP NetWeaver AS).
And in June 2020, researchers at security firm Trustwave disclosed six vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software (see: Researchers Disclose 2 Critical Vulnerabilities in SAP ASE).