SAP Commerce Critical Flaws Patched on SAP Security Patch Day

Pranjali Shukla

3 years ago

A critical vulnerability in the SAP Commerce has released a security fix for SAP Security Patch Day, along with several others.

Critical remote code execution flaw:

According to the April 2021 SAP Security Patch Day, the vulnerability, tracked as CVE-2021-27602, had a critical severity rating of 9.9 on the CVSS scale.

Detailing the security hazards posed by the vulnerability, it had the potential to be exploited to obtain remote code execution by threat actors.

Specifically, the SAP Commerce Backoffice software could have been compromised by the vulnerability, with unauthorized actors being able to inject malicious code in source rules by exploiting the scripting capabilities of the Rules engine.

The remote code execution vulnerability could have critically affected the SAP Commerce Backoffice software system’s discretion and availability.

To address the critical vulnerability, SAP introduced “additional validations and output encoding when processing rules.”

High severity vulnerabilities:

Deployment of security notes for a total of 4 high severity bugs was also addressed in this month’s SAP Security Patch Day.

Three of these flaws were information disclosures which are-

CVE-2021-21482 – NetWeaver Master Data Management
CVE-2021-21483 – Solution Manager
CVE-2021-21485 – NetWeaver AS for Java
While the fourth one was an unquoted service path in SAPSetup tracked as CVE-2021-27608.

SAP also deployed a patch for a high-severity note addressing CVE-2020-26832. This vulnerability was a result of a missing authorization check in NetWeaver AS ABAP and S4 HANA.

Medium severity vulnerabilities:

Amongst the other security notes that were addressed, several of them having medium severity ratings were also included.