SAP Security Notes, February 2021
Hot News note 3014121 patches a critical remote code execution vulnerability in SAP Commerce. The Backoffice application in SAP Commerce enables certain users with required privileges to edit drools rules. An authenticated attacker with this privilege is able to inject malicious code in the drools rules, enabling the attacker to compromise the SAP host. This vulnerability affects the DroolsRule item type of the ruleengine extension. The DroolsRule item type exposes scripting facilities via its ruleContent attribute. Changing of ruleContent should normally be limited to highly privileged users, such as members of admingroup. Due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups can gain permissions to change DroolsRule ruleContents and access scripting facilities.
SAP Commerce installations that do not have the ruleengine extension installed are not affected. However, the extension is a common component of SAP Commerce installations. Note 3014121 improves the default permissions that govern change access to scripting facilities of DroolsRules. Script editing facilities for DroolsRules can be disabled in the SAP Commerce Backoffice as a second line of defense.
Note 2986980 was updated for SAP Business Warehouse releases 7.0x. The note patches SQL injection and missing authorization checks in the Database Interface of SAP BW.
Notes 2743329 and 2475705 introduce switchable authorization checks for sensitive RFC-enabled modules in S/4HANA and SAP ECC.