On the 10th of December 2024, SAP Security Patch Day saw the release of 10 new Security Notes.
There were 3 updates to previously released Security Notes.
Notes by severity
| HotNews | 1 |
| Correction with high priority | 4 |
| Correction with medium priority | 6 |
| Correction with low priority | 2 |
Highlights
On December Patch Day SAP presents 5 high-severity Notes, with 1 of them rated as HotNews.
To the end of Year 2024, SAP released numerous Notes during Patch Days, and we will highlight the most critical ones for this final provision of the year.
To start up, let us cover Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services) through the Note 3536965 – with CVSS Score of 9.1 and 6.8.
This security notice fixes many flaws in SAP NetWeaver AS for Java‘s Adobe Document Services. The following contains the vulnerability specifics as well as the pertinent CVE and CVSS information:
CVE-2024-47578: An attacker with administrator rights can send a specially crafted request from a susceptible web application using Adobe Document Service. In order to create a Server-Side Request Forgery vulnerability, it is typically used to target internal systems that are protected by firewalls and are typically unreachable to an attacker from the outside network. The attacker can access or alter any file and/or render the entire system inoperable if the exploitation is successful. CVSS Score is 9.1.
CVE-2024-47579: A custom PDF font file can be uploaded or downloaded to the system server via an exposed web service by an attacker posing as an administrator. The attacker can read any file on the server without affecting its availability or integrity by utilizing the upload feature to convert an internal file into a font file and then using the download feature to get that file back. CVSS Score is 6.8.
CVE-2024-47580: Using an open web service, an attacker posing as an administrator can produce a PDF with an attachment. The attacker can read any file on the server without compromising its availability or integrity by designating it as an internal server file and then downloading the created PDF. CVSS Score is 6.8.
The next Note o highlight will be the update for the November released 3520281 Note – Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher – with a CVSS Score of 8.8.
A malicious link can be created by an unauthenticated attacker and made publicly accessible. When an authenticated victim clicks on this malicious link, the website page generation uses the input data to create content that, when run in the victim’s browser (XXS) or sent to another server (SSRF), allows the attacker to run arbitrary code on the server, completely jeopardizing availability, confidentiality, and integrity.
This note has been re-released with updated ‘Reason and Prerequisites’ information.
And a finalizing couple Notes dedicated to SAP NetWeaver Application Server ABAP security:
Note 3469791 – Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP – with a CVSS Score of 8.5.
An authenticated attacker can disclose credentials for a remote service by crafting a Remote Function Call (RFC) request to restricted destinations under specific SAP NetWeaver Application Server ABAP conditions. The remote service might then be fully compromised using these credentials, which could have a serious effect on the application’s availability, confidentiality, and integrity.
The Update for the Note 3504390 – NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform – with a CVSS Score of 7.5.
An unauthenticated attacker can send a maliciously crafted http request over SAP NetWeaver Application Server for ABAP and ABAP Platform, which could result in a kernel null pointer dereference. The system will crash and reboot as a result of this dereference, making it momentarily unavailable. Repeatedly sending this request may result in the application becoming totally unavailable. Integrity and confidentiality are unaffected.
We were happy to assist you with such difficult to maintain things as SAP security is during this year and wish you to meet Christmas miracles in a warm company.
Stay safe!
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-SRV-FP | 3536965 | [CVE-2024-47578] Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services) | HotNews |
9.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| BC-CST-WDP | 3520281 | [CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher | high |
8.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| BC-MID-RFC | 3469791 | [CVE-2024-54198] Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP | high |
8.5
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| BC-ABA-LA | 3504390 | [CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| BC-JAS-ADM-MON | 3542543 | [CVE-2024-54197] Server-Side Request Forgery in SAP NetWeaver Administrator (System Overview) | high |
7.2
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
| BC-CCM-SLD | 3351041 | [CVE-2024-47582] XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| BI-BIP-SEC | 3524933 | [CVE-2024-32732] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-MID-UCO | 3536361 | [CVE-2024-47585] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| BI-BIP-INV | 3515653 | Update 1 to Security Note 3433545: [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| BI-BIP-INV | 3433545 | [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| PA-FIO-TS | 3522332 | [CVE-2024-47581] Missing Authorization check in SAP HCM (Approve Timesheets version 4) | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| PLM-PLC | 3504847 | [CVE-2024-47576] DLL Hijacking vulnerability in SAP Product Lifecycle Costing | low |
3.3
|
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CEC-SCC-COM-AS | 3535451 | [CVE-2024-47577] Information Disclosure vulnerability in SAP Commerce Cloud | low |
2.7
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
