Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

April 2021 Security Patch Day fixes a critical flaw in SAP Commerce

April 2021 Security Patch Day includes 14 new security notes and 5 updates to previously released notes, one of them fixes a critical issue in SAP Commerce. April 2021 Security Patch Day includes 14 new security notes and 5 updates to previously released ones, among the issues addressed by the software giant there is a […]

SAP

April 2021 Security Patch Day includes 14 new security notes and 5 updates to previously released notes, one of them fixes a critical issue in SAP Commerce.

April 2021 Security Patch Day includes 14 new security notes and 5 updates to previously released ones, among the issues addressed by the software giant there is a critical flaw in SAP Commerce.

“Similar to SAP’s February Patch Day, the only HotNews note besides the regularly recurring SAP Business Client note #2622660 and the minor update of HotNews #3022422 note, fixes a vulnerability in the Rules Engine of SAP Commerce. SAP Security Note #3040210, tagged with a CVSS score of 9.9 describes that certain authorized users of the SAP Commerce Backoffice application can exploit the scripting capabilities of the Rules engine to inject malicious code in the source rules. This can lead to a remote code execution with critical impact on the system’s confidentiality, integrity, and availability.” reads the advisory published by SAP security firm Onapsis.

The critical vulnerability, tracked as CVE-2021-27602, could be exploited by remote attackers to execute arbitrary code on vulnerable installs, it was rated with a CVSS score of 9.9.

The issue is described as a Remote Code Execution vulnerability in Source Rules of SAP Commerce, could allow authorized users of the SAP Commerce Backoffice software to inject malicious code in source rules leveraging the scripting capabilities of the Rules engine.

The issue affects SAP Commerce versions 1808, 1811, 1905, 2005, 2011.

“Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application.” reads the advisory published by NIST. “An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.”

April 2021 Security Patch Day includes two other Hot News security notes, which are updates to previously released notes.

The first one updates the Security Note released on August 2018 Patch Day, it includes security updates for the browser control Google Chromium delivered with SAP Business Client. The critical issue received a CVSS score of 10, t impacts Product – SAP Business Client, Version 6.5.

The second one updates the Security Note released on March 2021 Patch Day, it addresses a Missing Authorization Check in SAP NetWeaver AS JAVA tracked as CVE-2021-21481.

The flaw impacts SAP NetWeaver AS JAVA (MigrationService), Versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50.

The company also released security notes for four high-severity vulnerabilities, three of them are classified as information disclosure issues respectively impacting NetWeaver Master Data Management (CVE-2021-21482), Solution Manager (CVE-2021-21483), and NetWeaver AS for Java (CVE-2021-21485), and an unquoted service path in SAPSetup (CVE-2021-27608).

SAP also released an update for a high-severity note addressing a missing authorization check in NetWeaver AS ABAP and S4 HANA (SAP Landscape Transformation) tracked CVE-2020-26832.

The complete list of security notes released as part of SAP Security Patch Day – April 2021 is available here.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SAP Commerce)

[adrotate banner=”5″]

[adrotate banner=”13″]