SAP Security Patch Day – December 2024
Chapters
Share Article
Time flies as we have arrived at the last Patch Tuesday of 2024! End-of-year festivities are on the horizon but don’t let that be a reason to take your eye off this month’s released security notes. It is a well-known strategy among scammers to try to mislead people, especially during holidays. Why? Because people are in a different mood, they tend to lower their guard more easily. This makes them more susceptible to phishing attempts and other nasty tricks. This may seem different in business environments, but the human factor here is just as important. So, let’s waste no time and jump into this month’s patch cycle!
At SecurityBridge, we recognize the critical significance of patch management and the complexities it presents for organizations. Our Patch Management solution is here to help, providing invaluable insights into the prevailing patching gaps across SAP landscapes. Furthermore, it empowers organizations to evaluate the potential ramifications of specific patches, even before implementation, by offering a comprehensive, landscape-wide overview of patching status.
Security notes - December 2024
In this release, 9 security notes have been newly released and 4 have been updated. We will highlight some of the notes below.
SAP NetWeaver Java
With all the attention on recent cloud developments, on-premise applications may be a bit neglected by organizations. SAP NetWeaver Java is an example of such a technology stack, also because of the future roadmap of Java-based products. This month though, we see 3 security notes that require serious attention.
First things first: the HotNews. Note 3536965 describes not 1 but 3 vulnerabilities that have been discovered in the Adobe Document Services component of SAP NetWeaver Java. Generating PDF files is broadly used of course, and many don’t realize that this is often actually handled by a web service on SAP NetWeaver Java. Even when users are working in another system, like SAP S/4 HANA, the Java system is often used for this.
Note 3536965 describes how an attacker can exploit a vulnerability to completely compromise the system, hence the CVSS score of 9.1. Two other vulnerabilities are also mentioned in the note that concern Adobe Document Services, but these have a lower impact (CVSS 6.8). All 3 issues are fixed with the same software update, there is no workaround available so applying the patch is necessary here.
Note 3542543 points at another vulnerability on AS Java where a vulnerable servlet can be exploited for Server-Side Request Forgery (SSRF). There is a workaround available that disables the functionality but – as always – it is recommended to apply the provided patch by SAP.
Note 3351041 is about a ‘classic’ vulnerability that is caused by missing validation of XML. Applying the patch is the way to solve this.
SAP Web Dispatcher
Last month, we referred to Note 3520281 which had the highest rating of November (CVSS 8.8). At first glance, it may look as if this note needs to be re-evaluated but only background information is added, and no customer action is required. See FAQ note 3526389 for additional information on this vulnerability.
SAP NetWeaver ABAP / ABAP Platform
Not a month goes by without security notes for the ABAP technology stack. This time, this concerns the following notes:
Note 3469791 describes how an attacker can use Remote Function Calls (RFC) to restricted destinations to expose credentials for further exploitation (CVSS 8.5). The preferred solution is to apply a kernel update for the system involved. But there is a workaround available by setting parameter ‘rfc/dynamic_dest_api_only’ to value 1. Because this parameter value can be set dynamically, this can be a quick solution. Make sure to estimate the impact on other connections though, as described in the note.
Other notes for SAP ABAP are either informational and require no action (Note 3504390) or have a low impact and simply require the software updates to be applied (Note 3536361 and 3522332).
SAP Business Objects
Note 3433545 was released in August earlier this year but the fix mentioned has now become obsolete. For all situations, follow the instructions from note 3515653 instead, even if you have applied the fix of note 3433545 earlier! The 3 vulnerabilities mentioned here, all concern ‘File upload vulnerabilities’. By applying these fixes, the vulnerability from Note 3524933 is fixed at the same time :-).
SAP Security Notes December 2024
Highlights
Only 1 HotNews note this month and quite some updates on earlier released notes.
Summary by Severity
The December release contains a total of 13 patches for the following severities:
| Severity | Number | Hot News | 1 |
|---|---|
High | 4 |
Medium | 6 |
Low | 2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3536965 | [CVE-2024-47578] Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services) Priority: HotNews Released on: 10.12.2024 Components: BC-SRV-FP Category: Program error | Hot News | 9.1 |
| 3520281 | [CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher Priority: Correction with high priority Released on: 12.11.2024 Components: BC-CST-WDP Category: Program error | High | 8.8 |
| 3469791 | [CVE-2024-54198] Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP Priority: Correction with high priority Released on: 10.12.2024 Components: BC-MID-RFC Category: Program error | High | 8.5 |
| 3504390 | [CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with high priority Released on: 12.11.2024 Components: BC-ABA-LA Category: Program error | High | 7.5 |
| 3542543 | [CVE-2024-54197] Server-Side Request Forgery in SAP NetWeaver Administrator (System Overview) Priority: Correction with high priority Released on: 10.12.2024 Components: BC-JAS-ADM-MON Category: Program error | High | 7.2 |
| 3524933 | [CVE-2024-32732] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform Priority: Correction with medium priority Released on: 10.12.2024 Components: BI-BIP-SEC Category: Program error | Medium | 5.3 |
| 3351041 | [CVE-2024-47582] XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA Priority: Correction with medium priority Released on: 10.12.2024 Components: BC-CCM-SLD Category: Program error | Medium | 5.3 |
| 3433545 | [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 13.08.2024 Components: BI-BIP-INV Category: Program error | Medium | 4.3 |
| 3536361 | [CVE-2024-47585] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 10.12.2024 Components: BC-MID-UCO Category: Program error | Medium | 4.3 |
| 3522332 | [CVE-2024-47581] Missing Authorization check in SAP HCM (Approve Timesheets version 4) Priority: Correction with medium priority Released on: 26.11.2024 Components: PA-FIO-TS Category: Program error | Medium | 4.3 |
| 3515653 | Update 1 to Security Note 3433545: [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 10.12.2024 Components: BI-BIP-INV Category: Program error | Medium | 4.3 |
| 3504847 | [CVE-2024-47576] DLL Hijacking vulnerability in SAP Product Lifecycle Costing Priority: Correction with low priority Released on: 10.12.2024 Components: PLM-PLC Category: Program error | Low | 3.3 |
| 3535451 | [CVE-2024-47577] Information Disclosure vulnerability in SAP Commerce Cloud Priority: Correction with low priority Released on: 10.12.2024 Components: CEC-SCC-COM-AS Category: Program error | Low | 2.7 |
