On February 2021 Security Patch Day, SAP has issued seven new security notes, including a Hot News note that highlights a serious vulnerability in SAP Commerce. It also updated six previously released notes.
In its advisory, SAP explains that the critical issue, tracked as CVE-2021-21477 and featuring a CVSS score of 9.9, could be exploited for remote code execution. The flaw affects SAP Commerce if the rule engine extension is installed.
Intended to define and perform rules to manage decision-making situations, the rule engine uses a ruleContent trait offering scripting facilities. While making changes to ruleContent should usually be permitted for highly privileged users only, a misconfiguration shipped with SAP Commerce led to lower-privileged users and user groups being allowed to change ruleContents.
“This enables unauthorized users to inject malicious code into these scripts resulting in a strong negative impact on the application’s confidentiality, integrity and availability,” researchers with Onapsis, a firm that specializes in securing Oracle and SAP applications, explain.
SAP has dealt with the bug by altering the default permissions for new SAP Commerce installations, but other manual remediation steps are desired for current installations. These steps, Onapsis says, can be used as a full workaround, provided that the latest patches can’t be installed.