SAP Commerce Critical Security Bug Allows RCE

SAP critical e-commerce security bug

The critical SAP cybersecurity flaw could allow for the compromise of an application used by e-commerce businesses.

SAP is warning of a critical vulnerability in its SAP Commerce platform for e-commerce businesses. If exploited, the flaw could allow for remote code execution (RCE) that ultimately could compromise or disrupt the application.

SAP Commerce organizes data – such as product information – to be disseminated across multiple channels. This can give businesses a leg up in dealing with complex supply-chain management issues.

The vulnerability (CVE-2021-21477) affects SAP Commerce versions 1808, 1811, 1905, 2005 and 2011. It ranks 9.9 out of 10 on the CVSS scale – making it critical in severity.

“With regard to the assigned CVSS score of 9.9 and facing the potential impact on the application, it is strongly recommended to mitigate the vulnerability as soon as possible,” said Thomas Fritsch with Onapsis, in a Tuesday analysis.

What Are SAP Commerce Drools Rules?

The flaw allows certain users with “required privileges” to edit Drools rules. Drools is an engine that makes up the rules engine for SAP Commerce. The purpose of Drools is to define and execute a set of rules that can be used by businesses to manage complex decision-making scenarios.

The flaw specifically stems from a rule in Drools that contains a ruleContent attribute. This attribute provides scripting facilities. Jurisdiction over ruleContent is typically reserved high-privileged users, such as administrators, said Fritsch.

However, “due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups gain permissions to change the DroolsRule ruleContents and thus gain unintended access to these scripting facilities,” said Fritsch.

Remote Code Execution in SAP Commerce

This means that an attacker with that lower level of privilege can inject malicious code into the Drools rules scripts – leading to RCE and the compromise of the underlying host. And ultimately, this allows a cybercriminal to impair “the confidentiality, integrity and availability of the application,” said Fritsch.

A patch has been issued; however, Fritsch said, the fixes for the vulnerability only address the default permissions when initializing a new installation of SAP Commerce.

“For existing installations of SAP Commerce, additional manual remediation steps are required,” he said. “The good news is that for existing installations, these manual remediation steps can be used as a full workaround for SAP Commerce installations that cannot install the latest patch releases in a timely manner.”

Other Critical SAP Cybersecurity Releases

The vulnerability update was one of seven security notes released on Tuesday by SAP. The other six releases were updates to previously released Patch Tuesday security notes.

One of these ranked 10 on the CVSS scale and addressed security issues in the browser control for Google Chromium, which is delivered with the SAP business client. It affects SAP business client version 6.5. A specific CVE assignment for this flaw, and further details, were not available.

Another critical-severity flaw that was previously released and updated on Tuesday included multiple flaws (CVE-2021-21465) in SAP Business Warehouse, a data “warehousing” product based on the SAP NetWeaver ABAP platform, which collects and stores data.

“The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database,” according to the Mitre Corporation. “An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system.”

Patch Tuesday Security Updates

The vulnerability fixes come during a busy Patch Tuesday week. Microsoft addressed nine critical-severity security bugs in its February Patch Tuesday updates, as well as an important-rated vulnerability that is being actively exploited in the wild.

Adobe warned of a critical vulnerability that has been exploited in the wild in “limited attacks” to target Adobe Acrobat Reader users on Windows.

And, Intel issued fixes for five high-severity vulnerabilities in its graphics drivers. Attackers can exploit these flaws to launch an array of malicious attacks – such as escalating their privileges, stealing sensitive data or launching denial-of-service attacks.

Is your business an easy mark? Save your spot for “15 Cybersecurity Gaffes SMBs Make,” FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register here for the Wed., Feb. 24 LIVE webinar. 

Suggested articles

WordPress Plugin Bug Lets Subscribers Wipe Sites

The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable WordPress site, deleting nearly all database content and uploaded media.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.