Skip links
RedRays - Your SAP Security Solution
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

SAP Security Patch Day – December 2024

SAP Security Patch Day – December 2024 Overview

On December 10, 2024, SAP released its monthly Security Patch Day updates, addressing several vulnerabilities across various products, including SAP NetWeaver AS, SAP BusinessObjects Business Intelligence Platform, SAP Commerce Cloud, SAP Web Dispatcher, and more. Below, we provide an overview of the most critical vulnerabilities, their risk levels, and recommended actions to safeguard your SAP landscape.

Critical and High-Priority Vulnerabilities

  1. [CVE-2024-47578] Multiple Vulnerabilities in SAP NetWeaver AS for JAVA (Adobe Document Services)

    • CVSS Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
    • Affected Component: SAP NetWeaver AS for JAVA (Adobe Document Services)
    • Description: A set of vulnerabilities that can compromise sensitive information and allow significant impact on system integrity and availability.
    • Priority: HotNews

    This vulnerability requires immediate attention as attackers with administrative privileges (PR:H) can exploit it to access critical data and disrupt SAP systems.

  2. [CVE-2024-47590] Cross-Site Scripting (XSS) in SAP Web Dispatcher

    • CVSS Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
    • Affected Component: SAP Web Dispatcher
    • Description: A high-severity XSS vulnerability that enables attackers to inject malicious code into the web interface, potentially leading to session hijacking, content spoofing, and more.
    • Priority: Correction with high priority

    This vulnerability is exploitable without prior authentication (PR:N), emphasizing the urgency of applying the patch.

  3. [CVE-2024-47586] NULL Pointer Dereference in SAP NetWeaver Application Server for ABAP and ABAP Platform

    • CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    • Affected Component: SAP NetWeaver AS ABAP
    • Description: This vulnerability can lead to a denial of service (DoS), causing critical unavailability of the affected system.
    • Priority: Correction with high priority

  4. [CVE-2024-54197] Server-Side Request Forgery (SSRF) in SAP NetWeaver Administrator (System Overview)

    • CVSS Score: 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
    • Affected Component: SAP NetWeaver Administrator
    • Description: SSRF vulnerabilities can allow unauthenticated attackers to access internal resources, potentially exposing sensitive data or leveraging trusted connections.
    • Priority: Correction with high priority

  5. [CVE-2024-54198] Information Disclosure via RFC in SAP NetWeaver Application Server ABAP

    • CVSS Score: 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
    • Affected Component: SAP NetWeaver AS ABAP
    • Description: This high-risk vulnerability enables attackers with low privileges (PR:L) to exploit complex scenarios (AC:H) to access critical information or compromise system integrity.
    • Priority: Correction with high priority

Medium- and Low-Priority Vulnerabilities

  1. [CVE-2024-47582] XML Entity Expansion in SAP NetWeaver AS JAVA

    • CVSS Score: 5.3
    • Description: A vulnerability in XML processing that could lead to system overload or potential denial of service.

  2. [CVE-2024-32732] Information Disclosure in SAP BusinessObjects Business Intelligence Platform

    • CVSS Score: 5.3
    • Description: An issue that could result in the leakage of non-critical but sensitive information.

  3. [CVE-2024-42375] Multiple Unrestricted File Upload Vulnerabilities in SAP BusinessObjects Business Intelligence Platform

    • CVSS Score: 4.3
    • Description: Allows attackers with limited privileges to upload unwanted files, potentially affecting data integrity.

  4. [CVE-2024-47585] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform

    • CVSS Score: 4.3
    • Description: Insufficient authorization checks could allow unauthorized access to specific data.

  5. [CVE-2024-47577] Information Disclosure in SAP Commerce Cloud

    • CVSS Score: 2.7
    • Description: A low-severity information disclosure vulnerability requiring administrator privileges.

  6. [CVE-2024-47576] DLL Hijacking in SAP Product Lifecycle Costing

    • CVSS Score: 3.3
    • Description: A local vulnerability requiring user privileges. It is relevant for securing developer and administrator workstations.

Conclusion

The December SAP Security Patch Day highlights critical fixes addressing a wide range of vulnerabilities. Many of these require immediate action to prevent potential data breaches, system compromises, or denial-of-service attacks.

We strongly encourage analyzing these vulnerabilities promptly and applying the necessary patches. Taking a proactive approach will minimize risks and maintain the security of your SAP landscapes.

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. 

JOIN