On 14.12.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Commerce.
SAP Note 3113593 addresses "Denial of service (DOS) in SAP Commerce" to prevent denial of service (dos) with a high risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specificationThe library jsoup, which is used to sanitize various product-related metadata in b2caccelerator of the SAP Commerce may be vulnerable to DOS attacks. A user with write access to product metadata could exploit this vulnerability.
SAP Commerce addresses this vulnerability by upgrading jsoup, which does not contain the vulnerability. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "To minimize the impact, restrictions to product related field length could be implemented to limit the size of inputs sent to jsoup".
- 7.5 [CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)
- 7.5 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
- 7.5 [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)
- 7.5 [CVE-2020-6196] Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)
- 6.5 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer