Advisory
On 14.12.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Commerce.
SAP Note 3113593 addresses "Denial of service (DOS) in SAP Commerce" to prevent denial of service (dos) with a high risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specification
The library jsoup, which is used to sanitize various product-related metadata in b2caccelerator of the SAP Commerce may be vulnerable to DOS attacks. A user with write access to product metadata could exploit this vulnerability.Solution
SAP Commerce addresses this vulnerability by upgrading jsoup, which does not contain the vulnerability. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "To minimize the impact, restrictions to product related field length could be implemented to limit the size of inputs sent to jsoup".
- 9.8 Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager
- 7.8 [CVE-2023-33990] Denial of service (DOS) vulnerability in SAP SQL Anywhere
- 7.7 [CVE-2023-35871] Memory Corruption vulnerability in SAP Web Dispatcher
- 7.5 [CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy)
- 7.5 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
