CVE-2021-21477 in SAP Commerce Platform
CVE-2021-21477 could allow threat actors take advantage of the SAP application used by e-commerce businesses, leading to remote code execution. The flaw affects SAP Commerce versions 1808, 1811, 1905, 2005, and 2011. Its severity score is 9.9 out of ten according to the CVSS scale, making the impact critical. Mitigating the vulnerability as soon as possible is highly advisable.
How does the vulnerability work?
It could allow specific users with required privileges to edit Drools rules, an engine creating the rules for the platform. Businesses use these rules to navigate their complex decision-making variations.
More specifically, the bug originates from a certain rule that contains a ruleContent attribute, providing scripting facilities. A misconfiguration of the default user permissions shipped with SAP commerce could allow lower-privileges users and user groups gain permissions and change the DroolsRule ruleContents. This alteration could then lead to unintended access to the corresponding scripting facilities.
In other words, an attacker with lower privileges could be able to inject code into the Drools rules scripts. The injection of such code creates a remote code execution condition, which could lead to the compromise of the underlying host.
A Patch for CVE-2021-21477 Is Available, But…
Fortunately, a patch has already been released. However, the fix is only partial, as it addresses the default permissions when initializing a new installation of the platform.
“For existing installations of SAP Commerce, additional manual remediation steps are required. The good news is that for existing installations, these manual remediation steps can be used as a full workaround for SAP Commerce installations that cannot install the latest patch releases in a timely manner,” explained security researcher Thomas Fritsch from Onapsis.
In July 2020, another critical security vulnerability was detected in the SAP NetWeaver Application which contains a Java component called the LM Configuration Wizard. The CVE-2020-6287 vulnerability was abused by hacking groups. The number of affected companies that include this software is around 400,000. An independent security audit revealed that there were 2,500 SAP systems exposed to the Internet and vulnerable to the bug.