Security News > 2021 > February > SAP Commerce Critical Security Bug Allows RCE
SAP is warning of a critical vulnerability in its SAP Commerce platform for e-commerce businesses.
Drools is an engine that makes up the rules engine for SAP Commerce.
A patch has been issued; however, Fritsch said, the fixes for the vulnerability only address the default permissions when initializing a new installation of SAP Commerce.
"The good news is that for existing installations, these manual remediation steps can be used as a full workaround for SAP Commerce installations that cannot install the latest patch releases in a timely manner."
The vulnerability update was one of seven security notes released on Tuesday by SAP. The other six releases were updates to previously released Patch Tuesday security notes.
Another critical-severity flaw that was previously released and updated on Tuesday included multiple flaws in SAP Business Warehouse, a data "Warehousing" product based on the SAP NetWeaver ABAP platform, which collects and stores data.
News URL
https://threatpost.com/sap-commerce-critical-security-bug/163822/
Related news
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- Apache issues patches for critical Struts 2 RCE bug (source)
- Critical security hole in Apache Struts under exploit (source)
- The ongoing evolution of the CIS Critical Security Controls (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- SAP fixes critical vulnerabilities in NetWeaver application servers (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution (source)