SAP released seven new security notes on February 2021 Security Patch Day and updated six previously released notes.
The new security notes include a Hot News note that addresses a critical vulnerability, tracked as CVE-2021-21477, in SAP Commerce.
The CVE-2021-21477 is a remote code execution that impacts the Commerce product if the rule engine extension is installed. The critical flaw received a CVSS score of 9.9.
“SAP Commerce Cloud, versions – 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.” reads the advisory for the flaw.
Experts from security firm Onapsis pointed out that rule engine extension is a common part of SAP Commerce installs, the patch addresses the majority of these installations.
The rule engine is based on the Drools engine and is used to define and execute a set of rules that can manage even extremely complex decision-making scenarios.
“Drools rules contain a ruleContent attribute that provides scripting facilities. Changing of ruleContent should normally be limited to highly privileged users, like admin and other members of admingroup.” reads the analysis published by Onapsis. “Due to a misconfiguration of the default user permissions that are shipped with Commerce, several lower-privileged users and user groups gain permissions to change DroolsRule ruleContents and thus gain unintended access to these scripting facilities. This enables unauthorized users to inject malicious code into these scripts resulting in a strong negative impact on the application’s confidentiality, integrity and availability.”
in order to address this issue, the software giant has changed the default permissions for new SAP Commerce installations, the company also provided manual remediation steps for existing installations.
The following other two Hot News notes released by the vendor are updates to previously released notes:
SAP release two high severity security notes, one for missing authorization checks in NetWeaver AS ABAP and S4 HANA (SAP Landscape Transformation), and another for a Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform.
The remaining security notes address medium-severity vulnerabilities in NetWeaver Master Data Management 7.1, NetWeaver Process Integration, Business Objects Business Intelligence Platform, SAPUI5, Web Dynpro ABAP Applications, UI5 HTTP Handler, and HANA Database.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, RCE)