SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3155609
was released on
12.04.2022 and deals with
"Privilege escalation vulnerability in Apache Tomcat server component of SAP Commerce" within SAP Commerce.
We advice you to follow the instructions, to resolve
weak security function / cryptographic algorithm
high potential for exploitation
in component CEC-COM-CPS.
According to SAP Security Advisory team a workaround exists. It is advisable to implement the correction as part of maintenance.
Risk specificationConfiguring Tomcat to use FileStore to persist sessions can expose your SAP Commerce system to a time of check, time of use vulnerability that allows attackers to perform actions with the privileges of the user that the Tomcat process is using
The application was updated to no longer be vulnerable to the attack Alternativly, the consulting team has proposed the following: "Change the Tomcat configuration to not use FileStore as a workaround ". The suggestion may be considered, as a workaround or compensating mitigation. We recommend installing/applying the correction wherever possible and as soon as possible. Base your decision on whether or not to apply the patch on your companies and systems risk perspective and consider the provided CVSS 7.0 score.