April 2021 Security Patch Day fixes a critical flaw in SAP Commerce

April 2021 Security Patch Day includes 14 new security notes and 5 updates to previously released notes, one of them fixes a critical issue in SAP Commerce.

April 2021 Security Patch Day includes 14 new security notes and 5 updates to previously released ones, among the issues addressed by the software giant there is a critical flaw in SAP Commerce.

“Similar to SAP’s February Patch Day, the only HotNews note besides the regularly recurring SAP Business Client note #2622660 and the minor update of HotNews #3022422 note, fixes a vulnerability in the Rules Engine of SAP Commerce. SAP Security Note #3040210, tagged with a CVSS score of 9.9 describes that certain authorized users of the SAP Commerce Backoffice application can exploit the scripting capabilities of the Rules engine to inject malicious code in the source rules. This can lead to a remote code execution with critical impact on the system’s confidentiality, integrity, and availability.” reads the advisory published by SAP security firm Onapsis.

The critical vulnerability, tracked as CVE-2021-27602, could be exploited by remote attackers to execute arbitrary code on vulnerable installs, it was rated with a CVSS score of 9.9.

The issue is described as a Remote Code Execution vulnerability in Source Rules of SAP Commerce, could allow authorized users of the SAP Commerce Backoffice software to inject malicious code in source rules leveraging the scripting capabilities of the Rules engine.

The issue affects SAP Commerce versions 1808, 1811, 1905, 2005, 2011.

“Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application.” reads the advisory published by NIST. “An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.”

April 2021 Security Patch Day includes two other Hot News security notes, which are updates to previously released notes.

The first one updates the Security Note released on August 2018 Patch Day, it includes security updates for the browser control Google Chromium delivered with SAP Business Client. The critical issue received a CVSS score of 10, t impacts Product – SAP Business Client, Version 6.5.

The second one updates the Security Note released on March 2021 Patch Day, it addresses a Missing Authorization Check in SAP NetWeaver AS JAVA tracked as CVE-2021-21481.

The flaw impacts SAP NetWeaver AS JAVA (MigrationService), Versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50.

The company also released security notes for four high-severity vulnerabilities, three of them are classified as information disclosure issues respectively impacting NetWeaver Master Data Management (CVE-2021-21482), Solution Manager (CVE-2021-21483), and NetWeaver AS for Java (CVE-2021-21485), and an unquoted service path in SAPSetup (CVE-2021-27608).

SAP also released an update for a high-severity note addressing a missing authorization check in NetWeaver AS ABAP and S4 HANA (SAP Landscape Transformation) tracked CVE-2020-26832.

The complete list of security notes released as part of SAP Security Patch Day – April 2021 is available here.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SAP Commerce)

[adrotate banner=”5″]

[adrotate banner=”13″]