{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-020.pdf"
    },
    "title": "SAP - Critical Vulnerabilities",
    "serial_number": "2021-020",
    "publish_date": "15-04-2021 08:33:00",
    "description": "On the 13th of April 2021, SAP released 14 Security Notes on the Security Patch Day. Security Note #3040210 addresses a critical vulnerability CVE-2021-27602 affecting the SAP Commerce. Another critical vulnerability CVE-2021-21481 in Security note #3022422 is affecting the MigrationService, which is part of SAP NetWeaver.<br>Security Note #2622660 refers to a vulnerability that impacts SAP Business Client, a user interface that acts as an entry point to various SAP business applications. The security risk resides not in the product itself, but in the browser control (Chromium) that comes with it. There are no details about the issue, except that it has been rated with a the maximum severity score, 10 out of 10.",
    "url_title": "2021-020",
    "content_markdown": "---\ntitle: 'SAP - Critical Vulnerabilities'\nversion: '1.0'\nnumber: '2021-020'\ndate: 'April 15, 2021'\n---\n\n# Summary\n\nOn the 13th of April 2021, SAP released 14 Security Notes on the Security Patch Day [1]. Security Note #3040210 [2] addresses a critical vulnerability CVE-2021-27602 [3] affecting the SAP Commerce. Another critical vulnerability CVE-2021-21481 [4] in Security note #3022422 [5] is affecting the MigrationService, which is part of SAP NetWeaver.\n\nSecurity Note #2622660 [6] refers to a vulnerability that impacts SAP Business Client, a user interface that acts as an entry point to various SAP business applications. The security risk resides not in the product itself, but in the browser control (Chromium) that comes with it. There are no details about the issue, except that it has been rated with a the maximum severity score, **10 out of 10**.\n\n# Technical Details\n\nThe vulnerability CVE-2020-27602 has **CVSS score 9.9** [3]. SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, back-office application allows certain authorised users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorisation can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.\n\nThe vulnerability CVE-2021-21481 has **CVSS score 9.6** [4]. The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorisation check. This might allow an unauthorised attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.\n\n# Products Affected\n\n- SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011\n- SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50\n\n# Recommendations\n\nConsidering the seriousness of the flaw, and the fact that **exploits are already available**, CERT-EU strongly advises to **apply available patches as soon as possible**.\n\n# References\n\n[1] <https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649>\n\n[2] <https://launchpad.support.sap.com/#/notes/3040210>\n\n[3] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>\n\n[4] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21481>\n\n[5] <https://launchpad.support.sap.com/#/notes/3022422>\n\n[6] <https://launchpad.support.sap.com/#/notes/2622660>\n",
    "content_html": "<h2 id=\"summary\">Summary</h2><p>On the 13th of April 2021, SAP released 14 Security Notes on the Security Patch Day [1]. Security Note #3040210 [2] addresses a critical vulnerability CVE-2021-27602 [3] affecting the SAP Commerce. Another critical vulnerability CVE-2021-21481 [4] in Security note #3022422 [5] is affecting the MigrationService, which is part of SAP NetWeaver.</p><p>Security Note #2622660 [6] refers to a vulnerability that impacts SAP Business Client, a user interface that acts as an entry point to various SAP business applications. The security risk resides not in the product itself, but in the browser control (Chromium) that comes with it. There are no details about the issue, except that it has been rated with a the maximum severity score, <strong>10 out of 10</strong>.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability CVE-2020-27602 has <strong>CVSS score 9.9</strong> [3]. SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, back-office application allows certain authorised users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorisation can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.</p><p>The vulnerability CVE-2021-21481 has <strong>CVSS score 9.6</strong> [4]. The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorisation check. This might allow an unauthorised attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.</p><h2 id=\"products-affected\">Products Affected</h2><ul><li>SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011</li><li>SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Considering the seriousness of the flaw, and the fact that <strong>exploits are already available</strong>, CERT-EU strongly advises to <strong>apply available patches as soon as possible</strong>.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649\">https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://launchpad.support.sap.com/#/notes/3040210\">https://launchpad.support.sap.com/#/notes/3040210</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21481\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21481</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://launchpad.support.sap.com/#/notes/3022422\">https://launchpad.support.sap.com/#/notes/3022422</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://launchpad.support.sap.com/#/notes/2622660\">https://launchpad.support.sap.com/#/notes/2622660</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}