SAP Commerce Patched Another Critical Vulnerability


SAP posted 14 new security notes and 5 updates to previously released notes on Tuesday as part of its April 2021 Security Patch Day. With this round of patches, the only new Hot News note fixes a crucial flaw in SAP Commerce.

The critical security hole, identified as CVE-2021-27602 and with a CVSS score of 9.9, could be exploited to enable remote code execution, according to SAP.

By exploiting the Rules engine’s scripting capabilities, approved users of the SAP Commerce Backoffice programme may insert malicious code into source rules.

According to Onapsis, a company that specialises in securing Oracle and SAP applications, “this may lead to a remote code execution with crucial impact on the system’s confidentiality, credibility, and availability.”

SAP added “additional validations and output encoding while processing rules” to fix the vulnerability.

Two other Hot News security notices in this month’s Security Patch Day are corrections to notes that were previously posted. The first is an upgrade for SAP Business Client’s Chromium-based browser, while the second is a missing authorization search in NetWeaver AS JAVA.

Security notes for three high-severity vulnerabilities in NetWeaver Master Data Management (CVE-2021-21482), Solution Manager (CVE-2021-21483), and NetWeaver AS for Java (CVE-2021-21485), as well as an unquoted service route in SAPSetup, were released as part of SAP’s April 2021 Security Patch Day (CVE-2021-27608).

SAP also published an update for CVE-2020-26832, a missing authorization search in NetWeaver AS ABAP and S4 HANA, as well as a high-severity notice (SAP Landscape Transformation).

The remaining medium-severity security notes cover NetWeaver AS for Java, NetWeaver AS for ABAP, Process Integration (Integration Builder Framework), Process Integration (ESR Java Mappings), Manufacturing Execution (System Rules), Focused RUN, and HCM Travel Management Fiori Apps V2.

Between the Security Patch Days in March and April 2021, four other vulnerabilities were discussed with security notices.

To ensure that their applications stay secure, organisations can submit the available patches as soon as possible. Threat actors start targeting newly patched vulnerabilities just days after security updates are announced, according to a study published last week by SAP and Onapsis.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.