Application Security , Fraud Management & Cybercrime , Fraud Risk Management

SAP Commerce Product Has Vulnerability

Company Issues Patch, Remediation Advice
SAP Commerce Product Has Vulnerability

SAP has issued a patch and remediation advice for a critical remote code execution vulnerability in its SAP Commerce product that could, if exploited, disrupt the entire system.

See Also: Close the Gapz in Your Security Strategy

The vulnerability, CVE-2021-21477, affects the e-commerce product if the rule engine extension is installed, SAP says. It received a CVSS score of 9.9 out of 10.

SAP Commerce organizes data, such as product information, to be propagated across communication channels.

"Due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups gain permissions to change DroolsRule ruleContents and thus gain unintended access to these scripting facilities," says Thomas Fritsch of Onapsis Research Labs.

This vulnerability could enable unauthorized users to inject malicious code into these scripts, resulting in a strong negative impact on the application’s confidentiality, integrity and availability, he adds.

The vulnerability affects SAP Commerce Cloud, versions 1808, 1811, 1905, 2005, and 2011.

Drools is an open-source, business logic integration platform used to define and execute a set of rules that can manage complex decision-making scenarios, Fritsch says.

Drools rules contain a ruleContent attribute that provides scripting facilities, he notes. Making changes to any ruleContent is limited to privileged users, such as admin and other members of the admin group.

Patch and Remediation

On Tuesday, SAP released security notes, including a patch that fixes the default permissions when initializing a new installation of SAP Commerce. For existing installations, SAP provided manual remediation steps.

"The good news is that for existing installations, these manual remediation steps can be used as a full workaround for SAP Commerce installations that cannot install the latest patch releases in a timely manner," Fritsch says.

A spokesperson for SAP could not immediately be reached for comment.

Other SAP Flaws

Last month, SAP said that an exploit of an authentication vulnerability, CVE-2020-6207, in SAP Solution Manager could lead to a compromise of other connected SAP applications (see: Researchers Identify SAP Flaw Exploit ).

In July 2020, cybersecurity experts identified a zero-day vulnerability, tracked as CVE-2020-6287, in SAP's NetWeaver Application Server (see: Users Urged to Patch Critical Flaw in SAP NetWeaver AS).

And in June 2020, researchers at security firm Trustwave disclosed six vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software (see: Researchers Disclose 2 Critical Vulnerabilities in SAP ASE).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.