Advisory
On 18.04.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Commerce.
SAP Note 3171258 addresses "[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Commerce" to prevent remote code execution with a hot news risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specification
SAP Commerce uses a version of Spring Framework which has Remote Code Execution vulnerabilitySolution
SAP Commerce fixes this vulnerability by updating to the latest version of Spring libraries. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "If you cannot upgrade to the latest SAP Commerce Cloud patch release yet, you can implement the workaround described in Knowledge Base Article 3187386.".
- 10.0 [CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector)
- 9.8 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Profitability Analytics
- 9.8 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Checkout
- 9.8 [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework
- 9.8 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in PowerDesigner Web (up to including 16.7 SP05 PL01)
