SAP Commerce Critical Security Bug Allows RCE

  • The critical SAP cybersecurity flaw could enable for the compromise of an application used by e-commerce organizations.

    SAP is warning of a critical vulnerability in its SAP Commerce system for e-commerce organizations. If exploited, the flaw could allow for remote code execution (RCE) that in the long run could compromise or disrupt the application.

    SAP Commerce organizes facts – this sort of as product data – to be disseminated throughout a number of channels. This can give organizations a leg up in working with intricate offer-chain administration issues.

    The vulnerability (CVE-2021-21477) affects SAP Commerce variations 1808, 1811, 1905, 2005 and 2011. It ranks 9.9 out of 10 on the CVSS scale – earning it critical in severity.

    “With regard to the assigned CVSS score of 9.9 and experiencing the prospective impact on the software, it is strongly advisable to mitigate the vulnerability as soon as probable,” reported Thomas Fritsch with Onapsis, in a Tuesday assessment.

    What Are SAP Commerce Drools Procedures?

    The flaw allows specific buyers with “required privileges” to edit Drools procedures. Drools is an motor that makes up the principles motor for SAP Commerce. The goal of Drools is to outline and execute a set of guidelines that can be employed by businesses to handle advanced determination-producing situations.

    The flaw especially stems from a rule in Drools that includes a ruleContent attribute. This attribute provides scripting facilities. Jurisdiction about ruleContent is normally reserved substantial-privileged customers, this sort of as administrators, reported Fritsch.

    Having said that, “due to a misconfiguration of the default consumer permissions that are shipped with SAP Commerce, various reduced-privileged users and user teams obtain permissions to improve the DroolsRule ruleContents and hence get unintended access to these scripting facilities,” explained Fritsch.

    Remote Code Execution in SAP Commerce

    This usually means that an attacker with that decrease amount of privilege can inject malicious code into the Drools policies scripts – leading to RCE and the compromise of the fundamental host. And eventually, this allows a cybercriminal to impair “the confidentiality, integrity and availability of the application,” explained Fritsch.

    A patch has been issued nevertheless, Fritsch mentioned, the fixes for the vulnerability only deal with the default permissions when initializing a new set up of SAP Commerce.

    “For existing installations of SAP Commerce, added handbook remediation methods are needed,” he said. “The fantastic information is that for existing installations, these manual remediation measures can be utilised as a full workaround for SAP Commerce installations that cannot set up the most recent patch releases in a timely fashion.”

    Other Critical SAP Cybersecurity Releases

    The vulnerability update was just one of 7 security notes produced on Tuesday by SAP. The other 6 releases have been updates to beforehand produced Patch Tuesday security notes.

    A single of these ranked 10 on the CVSS scale and addressed security issues in the browser handle for Google Chromium, which is shipped with the SAP organization shopper. It impacts SAP organization shopper version 6.5. A precise CVE assignment for this flaw, and more aspects, ended up not offered.

    A further critical-severity flaw that was earlier produced and up to date on Tuesday integrated several flaws (CVE-2021-21465) in SAP Company Warehouse, a knowledge “warehousing” product or service centered on the SAP NetWeaver ABAP platform, which collects and outlets data.

    “The BW Database Interface makes it possible for an attacker with reduced privileges to execute any crafted database queries, exposing the backend databases,” according to the Mitre Company. “An attacker can incorporate their own SQL commands which the database will execute without having thoroughly sanitizing the untrusted knowledge main to SQL injection vulnerability which can entirely compromise the influenced SAP procedure.”

    Patch Tuesday Security Updates

    The vulnerability fixes appear throughout a busy Patch Tuesday 7 days. Microsoft addressed nine critical-severity security bugs in its February Patch Tuesday updates, as perfectly as an critical-rated vulnerability that is currently being actively exploited in the wild.

    Adobe warned of a critical vulnerability that has been exploited in the wild in “limited attacks” to goal Adobe Acrobat Reader end users on Windows.

    And, Intel issued fixes for five large-severity vulnerabilities in its graphics motorists. Attackers can exploit these flaws to launch an array of malicious attacks – these types of as escalating their privileges, thieving delicate facts or launching denial-of-support assaults.

    Is your business enterprise an easy mark? Save your location for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you creating these mistakes, but our authorities will assistance you lock down your small- to mid-sized business enterprise like it was a Fortune 100. Register here for the Wed., Feb. 24 Reside webinar.