Preface: Most people will agree that the best eCommerce platforms are BigCommerce and Shopify.
HCL Commerce (formerly known as WebSphere Commerce and WCS (WebSphere Commerce Suite)) is a software platform framework for e-commerce, including marketing, sales, customer and order processing functionality in a tailorable, integrated package. It was formerly product of IBM, the product was sold to HCL Technologies in July 2019.
Background: A Java application, which is running inside Open Liberty/WebSphere Liberty runtime (your application logs to hosted Elasticsearch ). For details, refer to attached diagram
- My assumption will be happened in below circumstances.
2.Middleware servers include the following types: WebSphere® Application Server, Liberty servers, Apache Tomcat servers, JBoss servers, BEA WebLogic servers, PHP servers,…. - Quote for an example:
Files used to display content on a website, such as HTML, CSS, and Javascript files, contain a lot of text. Due to the nature of these files, the text in these files contains many instances of the same word throughout the document. - In order to improve the web server and client response time. Open Liberty able to configure “compress HTTP responses” function.
Open Liberty is a lightweight open source Java runtime that is built by using modular features. WebSphere Liberty is a commercial version of Open Liberty. - The http header compression algorithms use (gzip, brotli or zstd),
In order for the GZIP compression functionality to work on the XML Firewall, the compressed request/response message will have to include the “Transfer-encoding” header instead of “Content-Encoding: gzip”. Specifically, the header is “Transfer-Encoding: gzip, chunked”. Without the Transfer encoding header, the compressed message will not be decompressed by the XML Firewall. - If above settings install on HCL commerce. It will causes vulnerability happen (CVE-2022-38656). HCL Commerce, when using Elasticsearch, can allow a remote attacker to cause a denial of service attack on the site and make administrative changes.
- use of such a decompression chain could result in a “malloc bomb”
Vulnerabilities close to this discussion: CVE-2022-38656 – Certain versions of HCL Commerce from HCL Software contain the following vulnerability:
HCL Commerce, when using Elasticsearch, can allow a remote attacker to cause a denial of service attack on the site and make administrative changes.
Official announcement: Please refer to the link for details : https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101265