AI Security AI安全 1d ago Updated 1d ago 更新于 1天前 42

SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data SAP修复CVSS 9.9分NetWeaver ABAP漏洞,该漏洞可能导致数据泄露或篡改

SAP patched CVE-2026-44747, a critical CVSS 9.9 out-of-bounds write vulnerability in NetWeaver ABAP allowing memory corruption and unauthorized data access. Two additional critical vulnerabilities were addressed: CVE-2026-27690 (HTTP smuggling in Approuter) and CVE-2026-44761 (default OAuth credentials in Commerce Cloud). The Commerce Cloud flaw stems from sample configuration scripts in older documentation that left hard-coded credentials in production environments. While no active exploitation SAP发布2026年7月安全更新,修复包括NetWeaver ABAP在内的高危漏洞。 CVE-2026-44747为CVSS 9.9分的越界写入漏洞,可导致内存损坏及数据未授权访问。 CVE-2026-27690涉及HTTP请求走私,可能导致用户响应泄露及拒绝服务攻击。 CVE-2026-44761源于SAP Commerce Cloud中遗留的默认OAuth凭证,存在未授权数据修改风险。 尽管尚无野外利用证据,官方强烈建议立即安装补丁并审查生产环境配置。

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • SAP patched CVE-2026-44747, a critical CVSS 9.9 out-of-bounds write vulnerability in NetWeaver ABAP allowing memory corruption and unauthorized data access.
  • Two additional critical vulnerabilities were addressed: CVE-2026-27690 (HTTP smuggling in Approuter) and CVE-2026-44761 (default OAuth credentials in Commerce Cloud).
  • The Commerce Cloud flaw stems from sample configuration scripts in older documentation that left hard-coded credentials in production environments.
  • While no active exploitation is confirmed, immediate patching and credential audits are strongly recommended for all affected SAP systems.

Why It Matters

This update highlights significant risks in enterprise ERP and cloud commerce infrastructure, particularly regarding memory safety in legacy ABAP kernels and the dangers of retaining sample configurations in production. For security practitioners, it underscores the importance of rigorous configuration management and the need to scrutinize vendor documentation for potential security pitfalls that may persist in deployed systems.

Technical Details

  • CVE-2026-44747 (CVSS 9.9): An out-of-bounds write flaw in the SAP NetWeaver Application Server ABAP kernel. Authenticated attackers can exploit logical errors in memory management to cause memory corruption, leading to data exposure, modification, or denial of service. Temporary mitigation involves disabling specific ICF nodes via transaction SICF, though this impacts SAP GUI for HTML functionality.
  • CVE-2026-27690 (CVSS 9.1): An HTTP request/response smuggling vulnerability in SAP Approuter deployments within non-Cloud Foundry environments. Unauthenticated attackers can craft requests to cause desynchronization, exposing user responses and triggering DoS attacks.
  • CVE-2026-44761 (CVSS 9.1): A default credential issue in SAP Commerce Cloud where sample OAuth 2.0 clients with publicly documented secrets remain active. Attackers can use these credentials to obtain access tokens and invoke APIs to read or modify data. Mitigation requires auditing production environments for these sample clients and removing them or replacing secrets with strong, unique values.

Industry Insight

  • Documentation Security Audits: Organizations should review historical vendor documentation and sample scripts used during initial setup to identify any lingering default configurations or insecure practices that were never updated for production use.
  • Proactive Patch Management: Given the critical nature of the ABAP kernel flaw and the lack of evidence for current exploitation, enterprises should prioritize applying the July 2026 security updates immediately to close potential entry points before they are targeted.
  • Configuration Hygiene: Implement strict change management protocols to ensure that development or testing configurations, especially those involving authentication mechanisms like OAuth, are never inadvertently promoted to production environments without thorough security validation.

TL;DR

  • SAP发布2026年7月安全更新,修复包括NetWeaver ABAP在内的高危漏洞。
  • CVE-2026-44747为CVSS 9.9分的越界写入漏洞,可导致内存损坏及数据未授权访问。
  • CVE-2026-27690涉及HTTP请求走私,可能导致用户响应泄露及拒绝服务攻击。
  • CVE-2026-44761源于SAP Commerce Cloud中遗留的默认OAuth凭证,存在未授权数据修改风险。
  • 尽管尚无野外利用证据,官方强烈建议立即安装补丁并审查生产环境配置。

为什么值得看

对于依赖SAP生态的企业而言,此次更新涉及核心应用服务器及云 commerce 平台的关键安全缺陷,直接影响数据机密性与完整性。了解这些漏洞的具体利用路径(如内存管理错误、默认凭证滥用)有助于安全团队精准评估风险并制定紧急缓解措施。

技术解析

  • CVE-2026-44747 (CVSS 9.9):位于SAP NetWeaver Application Server ABAP中的越界写入漏洞。攻击者需具备认证权限,利用内存管理逻辑错误引发内存损坏,进而实现未授权的数据访问、修改或系统不可用。临时缓解方案为在SICF事务中禁用特定属性的ICF节点,但这会影响SAP GUI for HTML功能,因此强烈建议直接修补ABAP内核。
  • CVE-2026-27690 (CVSS 9.1):存在于非Cloud Foundry环境下的SAP Approuter部署中的HTTP请求/响应走私漏洞。未认证攻击者可发送特制HTTP请求导致请求-响应不同步,从而暴露用户响应内容或触发拒绝服务(DoS)攻击。
  • CVE-2026-44761 (CVSS 9.1):SAP Commerce Cloud中的默认凭证使用问题。源于SAP帮助门户提供的示例配置脚本,其中包含硬编码且公开记录的OAuth 2.0客户端凭证。若客户在生产环境中保留此配置而未替换密钥,未认证攻击者可获取有效访问令牌以读取和修改数据。受影响程度取决于客户是否执行了示例脚本并保留了默认设置。

行业启示

  • 文档与示例代码的安全性审计:厂商提供的开发/测试示例配置不应直接用于生产环境,企业需建立机制定期审查第三方软件文档中的示例代码是否被误引入生产配置。
  • 零信任与默认凭证管理:即使漏洞利用需要特定前置条件(如执行过旧版脚本),默认凭证仍是重大风险点。企业应强制实施最小权限原则,并定期轮换所有服务账户和API密钥,避免依赖静态默认值。
  • 紧急响应与缓解策略权衡:在补丁部署前,临时缓解措施可能带来业务中断风险(如禁用GUI功能)。安全团队需在“快速止血”与“业务连续性”之间做出权衡,优先推动内核级补丁而非长期依赖功能受限的临时配置。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全