CVE-2019-0344
Published: 14 August 2019
Summary
CVE-2019-0344 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sap Commerce Cloud. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2019-0344 is an unsafe deserialization vulnerability in the virtualjdbc extension of SAP Commerce Cloud (formerly Hybris), affecting versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, and 1905. The flaw, tracked under CWE-502, allows untrusted data to be deserialized without proper validation, enabling code injection that executes with the privileges of the Hybris user account. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with low attack complexity and no required credentials or user interaction.
An unauthenticated remote attacker can send a crafted serialized object to the vulnerable extension and achieve arbitrary code execution on the target system. Successful exploitation grants the attacker the ability to run commands, access or modify data, and potentially pivot within the affected SAP environment under Hybris user rights.
SAP security notes 2786035 and associated wiki documentation provide remediation guidance, including patches that address the deserialization issue in supported releases. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-1117
Vulnerability details
Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.
- CWE(s)
- KEV Date Added
- 30 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted serialized input before deserialization, blocking the crafted objects that enable arbitrary code execution in the virtualjdbc extension.
Requires integrity verification of software and data, which can detect or block unauthorized code introduced via the deserialization flaw.
Provides malicious-code detection mechanisms that can identify the code-execution payload resulting from successful exploitation of the unsafe deserialization.