On 09.02.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Commerce Cloud.
SAP Note 3014121 addresses "[CVE-2021-21477] Remote Code Execution vulnerability in SAP Commerce" to prevent code injection with a hot news risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationSAP Commerce Backoffice application enables certain users with required privileges to edit drools rules (Rule Engine Module). An authenticated attacker with this privilege will be able to inject malicious code in the drools rules which, when executed, leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity, and availability of the application.
SAP Commerce Cloud addresses this remote code execution vulnerability by these two measures: 1. Improving the default permissions that govern change access to scripting facilities of DroolsRules. (This is considered the main defense.) 2. Disabling script editing facilities for DroolsRules in the SAP Commerce Backoffice. (This is considered a second line of defense.)