SAP Patchday: Updates close security gaps, some of them critical
In December, SAP reports on nine newly discovered security vulnerabilities in various products. One of these is considered a critical risk.
There are security gaps in SAP products.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
SAP has issued nine new security notifications for the December patchday. The Walldorf-based company is also updating four older vulnerability reports. One gap poses a critical security risk – IT managers should apply the available updates quickly.
In the patchday overview, SAP lists the security vulnerabilities that the developers are patching with updates in December. The most serious vulnerability affects SAP NetWeaver AS for Java – or, to be more precise, there are three gaps in Adobe Document Services. Attackers with admin rights can, for example, send manipulated requests through vulnerable web apps and thus falsely access systems behind firewalls. By exploiting this server-side request forgery, they can read or modify arbitrary files and paralyze the entire system (CVE-2024-47578, CVSS 9.1, risk"critical"). The other two vulnerabilities, however, each have a CVSS value of 6.8 and are classified as medium risk.
SAP: High-risk vulnerabilities also closed
Through a remote function call in SAP NetWeaver Application Server ABAP, logged-in attackers can gain unauthorized access to information –, such as access data for remote services. This allows them to completely compromise these services (CVE-2024-54198, CVSS 8.5, high). In addition, a vulnerability in SAP NetWeaver Administrator (System Overview) also enables server-side request forgery (CVE-2024-54197, CVSS 7.2, high).
Videos by heise
The developers have classified the other vulnerabilities as medium or low threat level. Nevertheless, IT managers should close the security gaps promptly by installing the available updates. The complete list of vulnerabilities addressed on the December patchday:
- Multiple vulnerabilities in SAP NetWeaver AS for JAVA (Adobe Document Services), CVSS 9.1, critical
- Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP, CVSS 8.5, high
- Server-Side Request Forgery in SAP NetWeaver Administrator (System Overview), CVSS 7.2, high
- XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA, CVSS 5.3, medium
- Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform, CVSS 5.3, medium
- Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform, CVSS 4.3, medium
- Missing Authorization check in SAP HCM (Approve Timesheets version 4), CVSS 4.3, medium
- DLL Hijacking vulnerability in SAP Product Lifecycle Costing, CVSS 3.3, low
- Information Disclosure vulnerability in SAP Commerce Cloud, CVSS 2.7, low
The developers have also updated the security notifications for the following vulnerabilities
- Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher, CVSS 8.8, high, from November
- NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform, CVSS 7.5, high, from November
- Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform, CVSS 4.3, medium
- Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform, CVSS 4.3, medium
On the November patch day, SAP patched eight new vulnerabilities and corrected the security notifications for two older vulnerabilities.
(dmk)
