Overview
SAP’s security patch day for December 2024 has seen the release of 13 OSS SAP security notes. One note has been classified as critical, four as high, six as medium, and two as low based on CVSS v3.0 Rating.
Two notes have been released for:
- SAP NetWeaver Application Server for ABAP and ABAP Platform
Three notes have been released for:
- SAP BusinessObjects
Single notes have been released for:
- SAP NetWeaver AS for JAVA (Adobe Document Services)
- SAP Web Dispatcher
- SAP NetWeaver Application Server ABAP
- SAP NetWeaver Administrator (System Overview)
- SAP NetWeaver AS JAVA
- SAP HCM
- SAP Product Lifecycle Costing
- SAP Commerce Cloud
Vulnerabilities: December 2024 Highlights
[CVE-2024-47585] Missing Authorisation check in SAP NetWeaver Application Server for ABAP and ABAP Platform (SAP Note 3536361)
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorisation checks, which results in privilege escalation. While authorisations for import and export are distinguished, a single authorisation is applied for both, which may contribute to these risks.
[CVE-2022-47578] Â Multiple vulnerabilities in SAP NetWeaver AS for JAVA (Adobe Document Services) Â (SAP Note 3536965)
Adobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
