SAP’s newly published security notes on February 2021 Security Patch Day included a Hot News item that tackles a serious vulnerability issue in SAP Commerce. A patch has been issued to address the critical bug that can lead to a complete compromise of the SAP e-commerce platform.
The SAP Product Security Response Team delivers Patch Day Security Notes to ensure clients are protected against potential cybersecurity attacks. On the 9th of February 2021, 13 security notes including 3 corrections classified as Hot News, have been released. SAP Security Note #3014121, tracked as CVE-2021-21477, is a Remote Code Execution (RCE) that could disrupt the entire SAP e-commerce platform if exploited.
SAP Commerce provides a systematic approach in organising data – such as product information – to be distributed across multiple communication channels. The critical flaw, tagged with a CVSS score of 9.9 and is categorised as critical in severity, could compromise the application used by e-commerce businesses.
In an analysis released by Onapsis, SAP ERP application security solutions provider, Thomas Fritsch has maintained that:
“The only new critical patch was released for SAP Commerce. This allows affected customers to spend time going through the described manual mitigation steps for their existing installations. With regard to the assigned CVSS score of 9.9 and facing the potential impact on the application, it is strongly recommended to mitigate the vulnerability as soon as possible.”
Remote Code Execution on SAP E-Commerce Platform
Detailing more about the critical flaw, the advisory stated that:
“SAP Commerce Cloud, versions – 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.”
The report from Onapsis has indicated that the bug only affects SAP Commerce installations that have the rule engine extension installed. The security patch resolves the majority of these installations since the extension is a common part of SAP Commerce.
Fritsch explained that the vulnerability comes from a rule in drools – an open-source, business logic integration platform – that includes a ruleContent attribute providing scripting facilities. He added that control over ruleContent is normally limited to high-privileged users, such as admins and other members of the said department.
However, Fritsch clarified that:
“Due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups gain permissions to change the DroolsRule ruleContents and thus gain unintended access to these scripting facilities.”
Even though the patch that has been issued only resolves the default authorisation access when initialising a new installation of SAP Commerce, the software giant has also put forward additional manual remediation steps for existing installations.
Describing it as good news, Fritsch said that:
“For existing installations, these manual remediation steps can be used as a full workaround for SAP Commerce installations that cannot install the latest patch releases in a timely manner.”