CVE-2021-27602 -Remote Code Execution Vulnerability In Source Rules Of SAP Commerce

SAP Security
SAP Security

Symptoms of CVE-2021-27602:

CVE-2021-27602 is related to SAP Commerce Backoffice application: versions – 1808, 1811, 1905, 2005 & 2011 that allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application.

An attacker with this authorization can inject malicious code to source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.

Reason and prerequisites:

This vulnerability affects both on-premise installations of SAP Commerce and SAP Commerce Cloud in the Public Cloud.

SAP Commerce installations that do not include any extensions from the Rule Engine module are not affected.

Image source: help.sap.com

CVE-2021-27602: CVSS Score as per SAP :

CVSS v3.0 Base Score: 9,9 / 10

CVSS v3.0 Base Vector:

NameValue
Attack Vector (AV)Network (N)
Attack Complexity (AC)Low (L)
Privileges Required (PR)Low (L)
User Interaction (UI)None (N)
Scope (S)Changed (C)
Confidentiality Impact (C)High (H)
Integrity Impact (I)High (H)
Availability Impact (A)High (H)

Solution and Workaround

A) Patch release

Apply the patch release to fix this vulnerability.

We can find the software downloads of patches in the SAP Support portal.

Detailed procedure of installing patches can be found here

B) Workaround:

To ameliorate this vulnerability, SAP has also provided a workaround.
However SAP strongly recommends the patching method.

This workaround adjusts the permissions and limits access to only specific users.
Refer SAP note which describes how to apply this workaround.