On December 10, 2024, SAP released its monthly Security Patch Day updates, addressing several vulnerabilities across various products, including SAP NetWeaver AS, SAP BusinessObjects Business Intelligence Platform, SAP Commerce Cloud, SAP Web Dispatcher, and more. Below, we provide an overview of the most critical vulnerabilities, their risk levels, and recommended actions to safeguard your SAP landscape.
Critical and High-Priority Vulnerabilities
[CVE-2024-47578] Multiple Vulnerabilities in SAP NetWeaver AS for JAVA (Adobe Document Services)
CVSS Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)Affected Component: SAP NetWeaver AS for JAVA (Adobe Document Services)Description: A set of vulnerabilities that can compromise sensitive information and allow significant impact on system integrity and availability.Priority: HotNews
This vulnerability requires immediate attention as attackers with administrative privileges (PR:H) can exploit it to access critical data and disrupt SAP systems.
[CVE-2024-47590] Cross-Site Scripting (XSS) in SAP Web Dispatcher
CVSS Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)Affected Component: SAP Web DispatcherDescription: A high-severity XSS vulnerability that enables attackers to inject malicious code into the web interface, potentially leading to session hijacking, content spoofing, and more.Priority: Correction with high priority
This vulnerability is exploitable without prior authentication (PR:N), emphasizing the urgency of applying the patch.
[CVE-2024-47586] NULL Pointer Dereference in SAP NetWeaver Application Server for ABAP and ABAP Platform
CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)Affected Component: SAP NetWeaver AS ABAPDescription: This vulnerability can lead to a denial of service (DoS), causing critical unavailability of the affected system.Priority: Correction with high priority
[CVE-2024-54197] Server-Side Request Forgery (SSRF) in SAP NetWeaver Administrator (System Overview)
CVSS Score: 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)Affected Component: SAP NetWeaver AdministratorDescription: SSRF vulnerabilities can allow unauthenticated attackers to access internal resources, potentially exposing sensitive data or leveraging trusted connections.Priority: Correction with high priority
[CVE-2024-54198] Information Disclosure via RFC in SAP NetWeaver Application Server ABAP
CVSS Score: 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)Affected Component: SAP NetWeaver AS ABAPDescription: This high-risk vulnerability enables attackers with low privileges (PR:L) to exploit complex scenarios (AC:H) to access critical information or compromise system integrity.Priority: Correction with high priority
Medium- and Low-Priority Vulnerabilities
[CVE-2024-47582] XML Entity Expansion in SAP NetWeaver AS JAVA
CVSS Score: 5.3Description: A vulnerability in XML processing that could lead to system overload or potential denial of service.
[CVE-2024-32732] Information Disclosure in SAP BusinessObjects Business Intelligence Platform
CVSS Score: 5.3Description: An issue that could result in the leakage of non-critical but sensitive information.
[CVE-2024-42375] Multiple Unrestricted File Upload Vulnerabilities in SAP BusinessObjects Business Intelligence Platform
CVSS Score: 4.3Description: Allows attackers with limited privileges to upload unwanted files, potentially affecting data integrity.
[CVE-2024-47585] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform
CVSS Score: 4.3Description: Insufficient authorization checks could allow unauthorized access to specific data.
[CVE-2024-47577] Information Disclosure in SAP Commerce Cloud
CVSS Score: 2.7Description: A low-severity information disclosure vulnerability requiring administrator privileges.
[CVE-2024-47576] DLL Hijacking in SAP Product Lifecycle Costing
CVSS Score: 3.3Description: A local vulnerability requiring user privileges. It is relevant for securing developer and administrator workstations.
Conclusion
The December SAP Security Patch Day highlights critical fixes addressing a wide range of vulnerabilities. Many of these require immediate action to prevent potential data breaches, system compromises, or denial-of-service attacks.
We strongly encourage analyzing these vulnerabilities promptly and applying the necessary patches. Taking a proactive approach will minimize risks and maintain the security of your SAP landscapes.
SAP Penetration Testing: https://redrays.io/sap-penetration-testing/
SAP Security Training: https://www.udemy.com/course/sap-security-core-concepts-and-security-administration/
On December 10, 2024, SAP released its monthly Security Patch Day updates, addressing several vulnerabilities across various products, including SAP NetWeaver AS, SAP BusinessObjects Business Intelligence Platform, SAP Commerce Cloud, SAP Web Dispatcher, and more. Below, we provide an overview of the most critical vulnerabilities, their risk levels, and recommended actions to safeguard your SAP landscape.Critical and High-Priority Vulnerabilities[CVE-2024-47578] Multiple Vulnerabilities in SAP NetWeaver AS for JAVA (Adobe Document Services)CVSS Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)Affected Component: SAP NetWeaver AS for JAVA (Adobe Document Services)Description: A set of vulnerabilities that can compromise sensitive information and allow significant impact on system integrity and availability.Priority: HotNewsThis vulnerability requires immediate attention as attackers with administrative privileges (PR:H) can exploit it to access critical data and disrupt SAP systems.[CVE-2024-47590] Cross-Site Scripting (XSS) in SAP Web DispatcherCVSS Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)Affected Component: SAP Web DispatcherDescription: A high-severity XSS vulnerability that enables attackers to inject malicious code into the web interface, potentially leading to session hijacking, content spoofing, and more.Priority: Correction with high priorityThis vulnerability is exploitable without prior authentication (PR:N), emphasizing the urgency of applying the patch.[CVE-2024-47586] NULL Pointer Dereference in SAP NetWeaver Application Server for ABAP and ABAP PlatformCVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)Affected Component: SAP NetWeaver AS ABAPDescription: This vulnerability can lead to a denial of service (DoS), causing critical unavailability of the affected system.Priority: Correction with high priority[CVE-2024-54197] Server-Side Request Forgery (SSRF) in SAP NetWeaver Administrator (System Overview)CVSS Score: 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)Affected Component: SAP NetWeaver AdministratorDescription: SSRF vulnerabilities can allow unauthenticated attackers to access internal resources, potentially exposing sensitive data or leveraging trusted connections.Priority: Correction with high priority[CVE-2024-54198] Information Disclosure via RFC in SAP NetWeaver Application Server ABAPCVSS Score: 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)Affected Component: SAP NetWeaver AS ABAPDescription: This high-risk vulnerability enables attackers with low privileges (PR:L) to exploit complex scenarios (AC:H) to access critical information or compromise system integrity.Priority: Correction with high priorityMedium- and Low-Priority Vulnerabilities[CVE-2024-47582] XML Entity Expansion in SAP NetWeaver AS JAVACVSS Score: 5.3Description: A vulnerability in XML processing that could lead to system overload or potential denial of service.[CVE-2024-32732] Information Disclosure in SAP BusinessObjects Business Intelligence PlatformCVSS Score: 5.3Description: An issue that could result in the leakage of non-critical but sensitive information.[CVE-2024-42375] Multiple Unrestricted File Upload Vulnerabilities in SAP BusinessObjects Business Intelligence PlatformCVSS Score: 4.3Description: Allows attackers with limited privileges to upload unwanted files, potentially affecting data integrity.[CVE-2024-47585] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP PlatformCVSS Score: 4.3Description: Insufficient authorization checks could allow unauthorized access to specific data.[CVE-2024-47577] Information Disclosure in SAP Commerce CloudCVSS Score: 2.7Description: A low-severity information disclosure vulnerability requiring administrator privileges.[CVE-2024-47576] DLL Hijacking in SAP Product Lifecycle CostingCVSS Score: 3.3Description: A local vulnerability requiring user privileges. It is relevant for securing developer and administrator workstations.ConclusionThe December SAP Security Patch Day highlights critical fixes addressing a wide range of vulnerabilities. Many of these require immediate action to prevent potential data breaches, system compromises, or denial-of-service attacks.We strongly encourage analyzing these vulnerabilities promptly and applying the necessary patches. Taking a proactive approach will minimize risks and maintain the security of your SAP landscapes. SAP Penetration Testing: https://redrays.io/sap-penetration-testing/SAP Security Training: https://www.udemy.com/course/sap-security-core-concepts-and-security-administration/ Read More Technology Blogs by Members articles
#SAP
#SAPTechnologyblog
