Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with Hybris user rights, resulting in Code Injection.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Commerce_cloud | Sap | 6.4 (including) | 6.4 (including) |
| Commerce_cloud | Sap | 6.5 (including) | 6.5 (including) |
| Commerce_cloud | Sap | 6.6 (including) | 6.6 (including) |
| Commerce_cloud | Sap | 6.7 (including) | 6.7 (including) |
| Commerce_cloud | Sap | 1808 (including) | 1808 (including) |
| Commerce_cloud | Sap | 1811 (including) | 1811 (including) |
| Commerce_cloud | Sap | 1905 (including) | 1905 (including) |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Related Attack Patterns
References
- https://launchpad.support.sap.com/#/notes/2786035
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017
- https://launchpad.support.sap.com/#/notes/2786035
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344