Critical remote code execution flaw:
According to the April 2021 SAP Security Patch Day, the vulnerability, tracked as CVE-2021-27602, had a critical severity rating of 9.9 on the CVSS scale.
Detailing the security hazards posed by the vulnerability, it had the potential to be exploited to obtain remote code execution by threat actors.
Specifically, the SAP Commerce Backoffice software could have been compromised by the vulnerability, with unauthorized actors being able to inject malicious code in source rules by exploiting the scripting capabilities of the Rules engine.
The remote code execution vulnerability could have critically affected the SAP Commerce Backoffice software system’s discretion and availability.
To address the critical vulnerability, SAP introduced “additional validations and output encoding when processing rules.”
High severity vulnerabilities:
Deployment of security notes for a total of 4 high severity bugs was also addressed in this month’s SAP Security Patch Day.
Three of these flaws were information disclosures which are-
- CVE-2021-21482 – NetWeaver Master Data Management
- CVE-2021-21483 – Solution Manager
- CVE-2021-21485 – NetWeaver AS for Java
- While the fourth one was an unquoted service path in SAPSetup tracked as CVE-2021-27608.
SAP also deployed a patch for a high-severity note addressing CVE-2020-26832. This vulnerability was a result of a missing authorization check in NetWeaver AS ABAP and S4 HANA.
Medium severity vulnerabilities:
Amongst the other security notes that were addressed, several of them having medium severity ratings were also included.
These incorporated vulnerabilities in the following SAP platforms:
- NetWeaver AS for Java
- NetWeaver AS for ABAP
- Process Integration (Integration Builder Framework)
- Process Integration (ESR Java Mappings)
- Manufacturing Execution (System Rules)
- Focused RUN
- HCM Travel Management Fiori Apps V2
Users and organizations implementing the software services have been recommended to apply the available patches as soon as possible, to ensure their applications remain protected. Case research by SAP and Onapsis disclosed in the previous week established that, in some cases, malicious actors are initiating to target newly patched vulnerabilities days after security updates are addressed due to lack of prompt application of them.