AI Security AI安全 2h ago Updated 1h ago 更新于 1小时前 46

SAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce Cloud SAP 修复 NetWeaver、Approuter 和 Commerce Cloud 中的关键漏洞

SAP released 19 new and updated security notes during its July 2026 patch day, addressing vulnerabilities across its enterprise software suite. The highest severity issue is CVE-2026-44747 (CVSS 9.9), a memory corruption bug in NetWeaver Application Server ABAP allowing data access and system unavailability. Critical HTTP request smuggling (CVE-2026-27690, CVSS 9.1) was fixed in Approuter, affecting non-Cloud Foundry environments via unauthenticated crafted requests. A hardcoded credential flaw SAP发布2026年7月安全补丁日更新,共修复19项新及已更新的安全公告。 最严重漏洞为NetWeaver ABAP中的内存损坏缺陷(CVE-2026-44747),CVSS评分9.9,可导致数据篡改和系统不可用。 修复了Approuter中的HTTP请求走私漏洞(CVE-2026-27690)及Commerce Cloud中的硬编码凭证问题(CVE-2026-44761),均为关键级别。 部分高严重性漏洞涉及Apache Camel和Tomcat组件,其余为中低级别漏洞,覆盖S/4HANA、Fiori等多个产品线。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • SAP released 19 new and updated security notes during its July 2026 patch day, addressing vulnerabilities across its enterprise software suite.
  • The highest severity issue is CVE-2026-44747 (CVSS 9.9), a memory corruption bug in NetWeaver Application Server ABAP allowing data access and system unavailability.
  • Critical HTTP request smuggling (CVE-2026-27690, CVSS 9.1) was fixed in Approuter, affecting non-Cloud Foundry environments via unauthenticated crafted requests.
  • A hardcoded credential flaw in Commerce Cloud (CVE-2026-44761, CVSS 9.1) allows unauthorized API access if customers retained sample OAuth2 configurations in production.
  • Additional patches cover high-severity defects in Integration Suite, SAProuter, and NetWeaver Java, including updates for Apache Camel and Tomcat components.

Why It Matters

This update highlights the persistent risks associated with legacy enterprise architectures, particularly memory corruption in core application servers like NetWeaver. It underscores the critical importance of auditing third-party dependencies and sample configurations, as seen in the Commerce Cloud credential issue, to prevent unauthorized access in production environments. For security practitioners, this reinforces the need for immediate patch management and rigorous review of deployment scripts to eliminate hardcoded secrets.

Technical Details

  • CVE-2026-44747 (CVSS 9.9): A memory corruption vulnerability in NetWeaver Application Server ABAP. Exploitation allows attackers to access/modify data and cause denial of service. Temporary mitigation involves disabling specific ICF nodes via transaction SICF.
  • CVE-2026-27690 (CVSS 9.1): An HTTP request smuggling vulnerability in SAP Approuter (non-Cloud Foundry). Allows unauthenticated attackers to send crafted requests leading to request-response desynchronization.
  • CVE-2026-44761 (CVSS 9.1): Hardcoded credentials in Commerce Cloud OAuth2 clients derived from sample scripts in SAP Help Portal. Enables unauthorized token acquisition and API invocation if default secrets are not replaced in production.
  • Component Updates: Patches address multiple Apache Camel and Apache Tomcat security bugs within Integration Suite and Commerce Cloud notes.
  • Scope: Fixes span NetWeaver, S/4HANA, Fiori, CRM, HANA Extended Application Services Classic Model, and SAProuter, ranging from critical to low severity.

Industry Insight

Organizations must prioritize the remediation of memory corruption vulnerabilities in core ERP components, as these often provide the highest privilege escalation paths. Enterprises should conduct immediate audits of all production environments for hardcoded credentials in sample configurations, particularly for cloud-connected modules like Commerce Cloud. Proactive dependency management is essential, as vulnerabilities in underlying libraries like Apache Camel and Tomcat can directly impact the security posture of integrated enterprise suites.

TL;DR

  • SAP发布2026年7月安全补丁日更新,共修复19项新及已更新的安全公告。
  • 最严重漏洞为NetWeaver ABAP中的内存损坏缺陷(CVE-2026-44747),CVSS评分9.9,可导致数据篡改和系统不可用。
  • 修复了Approuter中的HTTP请求走私漏洞(CVE-2026-27690)及Commerce Cloud中的硬编码凭证问题(CVE-2026-44761),均为关键级别。
  • 部分高严重性漏洞涉及Apache Camel和Tomcat组件,其余为中低级别漏洞,覆盖S/4HANA、Fiori等多个产品线。

为什么值得看

对于使用SAP企业软件的客户而言,此次更新包含多个可被远程利用的关键级漏洞,直接影响数据完整性和系统可用性。及时应用补丁并审查生产环境配置是防止潜在攻击的必要措施。

技术解析

  • NetWeaver内存损坏漏洞 (CVE-2026-44747):CVSS 9.9,位于NetWeaver Application Server ABAP中,成功利用可导致数据访问修改及系统不可用。建议立即修补,临时方案为在SICF事务中禁用特定属性的ICF节点。
  • Approuter HTTP请求走私 (CVE-2026-27690):CVSS 9.1,影响非Cloud Foundry环境下的Approuter部署。未认证攻击者可发送特制HTTP请求导致请求-响应不同步。
  • Commerce Cloud硬编码凭证 (CVE-2026-44761):CVSS 9.1,源于帮助门户提供的示例配置脚本中OAuth2客户端使用了已知凭证。若客户在生产环境中保留这些默认设置而未替换强密钥,攻击者可通过获取访问令牌来读取和篡改数据。
  • 其他组件更新:包括Integration Suite和Commerce Cloud中对Apache Camel和Tomcat安全缺陷的补丁,以及针对SAProuter、NetWeaver Java等组件的高、中、低级漏洞修复。

行业启示

  • 供应链与第三方依赖风险:漏洞涉及Apache Camel和Tomcat等广泛使用的开源组件,表明企业需加强对第三方库及其版本的安全监控。
  • 配置管理最佳实践:Commerce Cloud案例凸显了使用默认或示例配置在生产环境中的巨大风险,企业应建立严格的配置审计流程,杜绝硬编码凭证。
  • 应急响应优先级:面对CVSS 9.9级别的内存损坏漏洞,IT安全团队应将此类高危补丁列为最高优先级的紧急修复任务,并评估临时缓解措施的有效性。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全