CVE-2021-42064 Unpublished bug, under circumstances, it exposing the backend DB (14th Dec, 2021)

Preface: The Oracle 10g limitation of 1000 items in a static IN clause. How do you increase maximum number of expressions in a list is 1000 in Oracle? Any in statement like x in (1,2,3) can be rewritten as (1,x) in ((1,1), (1,2), (1,3)) and the 1000 element limit will no longer apply.

Background: SAP Commerce organizes data like product information to be propagated using multiple communication channels in a consistent and efficient way. This enables businesses to sell products across multiple distribution channels. ORA-01792 error message alert that maximum number of columns in a table or view is 1000 on remote DB, this is a unpublished design limitation.

Vulnerability details: If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized “in” clause, SAP Commerce – versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized “in” clause accepts more than 1000 values.

Observation: Backend is consists of the server which provides data on request, the application which channels it, and the database which organizes the information. If attacker known the details, it let them easier to do the SQL injection.

Official details: For more details, please refer to the link – https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.