{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-026.pdf"
    },
    "title": "SAP - Critical Vulnerabilities",
    "serial_number": "2021-026",
    "publish_date": "09-06-2021 12:56:00",
    "description": "On 8th of June 2021, SAP released 17 Security Notes. There were two updates to previously released Patch Day Security Notes.<br>Among the vulnerabilities there are two rated critical, with a CVSS above 9:<br>- CVE-2021-27602 - Remote Code Execution vulnerability in Source Rules of SAP Commerce<br>- CVE-2021-27610 - Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform",
    "url_title": "2021-026",
    "content_markdown": "---\ntitle: 'SAP - Critical Vulnerabilities'\nversion: '1.0'\nnumber: '2021-026'\ndate: 'June 9, 2021'\n---\n\n_History:_\n\n* _9/06/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 8th of June 2021, SAP released 17 Security Notes. There were two updates to previously released Patch Day Security Notes [1].\n\nAmong the vulnerabilities there are two rated critical, with a CVSS above 9:\n\n- **CVE-2021-27602** - Remote Code Execution vulnerability in Source Rules of SAP Commerce\n- **CVE-2021-27610** - Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform\n\n# Technical Details\n\nSecurity Note #3040210 [2] addresses a critical vulnerability CVE-2021-27602 [3] affecting SAP Commerce. This is an update of a previous published vunerability we have aslo adressed in our advisory [6].\n\nThe vulnerability CVE-2020-27602 has **CVSS score 9.9**. Back-office application allows certain authorised users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorisation can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application [3].\n\nSecurity Note #3007182 [5] addresses a critical vulnerability CVE-2021-27610 [4] affecting SAP NetWeaver AS ABAP and ABAP Platforms.\n\nThe vulnerability CVE-2021-27610 has **CVSS score 9** [4]. This vulnerability is an improper authentication in SAP NetWeaver ABAP Server and ABAP Platform.\n\n# Products Affected\n\n- SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011\n- SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804\n\n# Recommendations\n\nConsidering the seriousness of the flaws CERT-EU strongly advises to **apply available patches as soon as possible**.\n\n# References\n\n[1] <https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>\n\n[2] <https://launchpad.support.sap.com/#/notes/3040210>\n\n[3] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>\n\n[4] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27610>\n\n[5] <https://launchpad.support.sap.com/#/notes/3007182>\n\n[6] <https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-020.pdf>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>9/06/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 8th of June 2021, SAP released 17 Security Notes. There were two updates to previously released Patch Day Security Notes [1].</p><p>Among the vulnerabilities there are two rated critical, with a CVSS above 9:</p><ul><li><strong>CVE-2021-27602</strong> - Remote Code Execution vulnerability in Source Rules of SAP Commerce</li><li><strong>CVE-2021-27610</strong> - Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform</li></ul><h2 id=\"technical-details\">Technical Details</h2><p>Security Note #3040210 [2] addresses a critical vulnerability CVE-2021-27602 [3] affecting SAP Commerce. This is an update of a previous published vunerability we have aslo adressed in our advisory [6].</p><p>The vulnerability CVE-2020-27602 has <strong>CVSS score 9.9</strong>. Back-office application allows certain authorised users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorisation can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application [3].</p><p>Security Note #3007182 [5] addresses a critical vulnerability CVE-2021-27610 [4] affecting SAP NetWeaver AS ABAP and ABAP Platforms.</p><p>The vulnerability CVE-2021-27610 has <strong>CVSS score 9</strong> [4]. This vulnerability is an improper authentication in SAP NetWeaver ABAP Server and ABAP Platform.</p><h2 id=\"products-affected\">Products Affected</h2><ul><li>SAP Commerce, Versions - 1808, 1811, 1905, 2005, 2011</li><li>SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Considering the seriousness of the flaws CERT-EU strongly advises to <strong>apply available patches as soon as possible</strong>.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999\">https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://launchpad.support.sap.com/#/notes/3040210\">https://launchpad.support.sap.com/#/notes/3040210</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27610\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27610</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://launchpad.support.sap.com/#/notes/3007182\">https://launchpad.support.sap.com/#/notes/3007182</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-020.pdf\">https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-020.pdf</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}