Published on February 12th, 2021 📆 | 1854 Views ⚑0
SAP Commerce Product Has Vulnerability
Fraud Management & Cybercrime
Fraud Risk Management
Company Issues Patch, Remediation Advice
Prajeet Nair (@prajeetspeaks) •
February 12, 2021
SAP has issued a patch and remediation advice for a critical remote code execution vulnerability in its SAP Commerce product that could, if exploited, disrupt the entire system.See Also: Brand Impersonation: It’s an InfoSec Problem
The vulnerability, CVE-2021-21477, affects the e-commerce product if the rule engine extension is installed, SAP says. It received a CVSS score of 9.9 out of 10.
SAP Commerce organizes data, such as product information, to be propagated across communication channels.
“Due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups gain permissions to change DroolsRule ruleContents and thus gain unintended access to these scripting facilities,” says Thomas Fritsch of Onapsis Research Labs.
This vulnerability could enable unauthorized users to inject malicious code into these scripts, resulting in a strong negative impact on the application’s confidentiality, integrity and availability, he adds.
The vulnerability affects SAP Commerce Cloud, versions – 1808, 1811, 1905, 2005, and 2011.
Drools is an open source business logic integration platform used to define and execute a set of rules that can manage complex decision-making scenarios, Fritsch explains.
Drools rules contain a ruleContent attribute that provides scripting facilities, he notes. Changing of any ruleContent is limited to privileged users, such as admin and other members of admin group.
Patch and Remediation
On Tuesday, SAP released href=”https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543″ target=”_blank”>security notes, including a patch that fixes the default permissions when initializing a new installation of SAP Commerce. For existing installations, SAP provided manual remediation steps.
“The good news is that for existing installations, these manual remediation steps can be used as a full workaround for SAP Commerce installations that cannot install the latest patch releases in a timely manner,” Fritsch says.
A spokesperson for SAP could not immediately be reached for comment.
Other SAP Flaws
Last month, SAP said that an exploit of an authentication vulnerability, CVE-2020-6207, in SAP Solution Manager could lead to a compromise of other connected SAP applications (see: Researchers Identify SAP Flaw Exploit ).
In July 2020, cybersecurity experts identified a zero-day vulnerability, tracked as CVE-2020-6287, in SAP’s NetWeaver Application Server (see: Users Urged to Patch Critical Flaw in SAP NetWeaver AS).
And in June 2020, researchers at security firm Trustwave disclosed six vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software (see: Researchers Disclose 2 Critical Vulnerabilities in SAP ASE).
originally appeared on Source link