SAP Patch Day: December 2024
Highlights of December SAP Security Notes analysis include:
- December Summary — Thirteen new and updated SAP security patches were released, including one HotNews Notes and four High Priority Notes.
- SAP High Priority Notes — Two new Notes fixes ‘Server-Side Request Forgery’ and ‘Information Disclosure’ vulnerabilities. Two Notes are re-releases from November’s Patch Day.
- Onapsis Research Labs Contribution — Our team supported SAP in patching four vulnerabilities in December covered with two Notes, including the only HotNews Note of the month.
SAP has released thirteen SAP Security Notes on its December Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes one HotNews Notes and four High Priority Notes.
SAP Security Note #3542543, with a CVSS severity score of 7.2, patches a Server-Side Request Forgery (SSRF) vulnerability in the SAP NetWeaver Administrator (System Overview) within the AS Java stack. The flaw stems from a vulnerable servlet lacking proper authorization checks, which enables potential attackers to enumerate accessible HTTP endpoints in the internal network through carefully crafted HTTP requests. Upon successful exploitation, an attacker could trigger an SSRF attack with limited impact on data integrity and confidentiality.
SAP Security Note #3504390 provides an update to a vulnerability initially disclosed during SAP’s November Patch Day. The Onapsis Research Labs (ORL) identified a NULL Pointer Dereference vulnerability in the SAP Kernel that can be exploited by an unauthenticated attacker through maliciously crafted HTTP requests. The update notably raises the CVSS severity score from 5.3 to 7.5, escalating the vulnerability’s risk classification from Medium to High.
High Priority Note #3520281 provides an update to a vulnerability initially disclosed during SAP’s November Patch Day. The ORL detected a Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher. This update primarily modifies the ‘Reasons and prerequisites’ section of the original note, with no additional actions required from customers.
The New HotNews Note in detail
SAP Security Note #3536965, tagged with a CVSS score of 9.1, is the only HotNews in December. The ORL identified vulnerabilities in the Adobe Document Services. These vulnerabilities, tracked as CVE-2024-47578, CVE-2024-47579, and CVE-2024-47580, collectively expose organizations to potential server-side request forgery (SSRF), unauthorized file access, and information disclosure.
The most severe vulnerability (CVE-2024-47578) carries a critical CVSS score of 9.1 and allows a user with administrative privileges to potentially compromise the entire system, read or modify files, and disrupt system availability. The other two vulnerabilities (CVE-2024-47579 and CVE-2024-47580) enable authenticated administrators to exploit PDF-related web services to read internal server files through manipulation techniques without compromising system integrity or availability.
Also, a FAQ for SAP Security Note is available at #3544926.
The New High Note in detail
SAP Security Note #3469791, tagged with a CVSS score of 8.5, reported by ORL, allows an authenticated attacker to manipulate Remote Function Call (RFC) requests, potentially enabling them to intercept and exploit credentials for remote services. By crafting specially designed RFC requests to restricted destinations, malicious actors can gain unauthorized access to sensitive service credentials, which could then be leveraged to completely compromise the targeted remote service.
There is a workaround available that specifies that the profile parameter “rfc/dynamic_dest_api_only = 1” will completely deactivate the legacy dynamic destination, effectively blocking the potential exploitation vector for unauthorized RFC requests. By implementing this configuration, administrators can temporarily prevent attackers from crafting malicious requests to restricted destinations. Take into account that this is a temporary fix and therefore, the patch must be applied to fully address the vulnerability.
SAP warns that this workaround may cause all applications using legacy destinations to fail.
Onapsis Contribution
Once again, our Onapsis Research Labs (ORL) team contributed valuable vulnerabilities to the December Security Notes. Of the thirteen Security Notes, four of them are a contribution of the ORL. The list includes the only new HowNews Priority Note #3536965, one of the new High Priority Note #3469791, and two High Priority notes updates. For SAP Security Note #3504390, the CVSS score was updated to a higher value and for the note #3520281, the update affects only the description.
Summary & Conclusions
SAP’s December Patch Day represents another calm Patch Day with only thirteen Security Notes, including ten new notes and three updates. We are happy that the Onapsis Research Labs could once more contribute to increasing the security of SAP applications. SAP customers can expect much more to come from the ORL in the next few months.
| SAP Note | Type | Description | Priority | CVSS |
| 3536965 | New | [CVE-2024-47578] Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)BC-SRV-FP | HotNews | 9.1 |
| 3520281 | Update | [CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher BC-CST-WDP | High | 8.8 |
| 3469791 | New | [CVE-2024-54198] Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP BC-MID-RFC | High | 8.5 |
| 3504390 | Update | [CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-ABA-LA | High | 7.5 |
| 3542543 | New | [CVE-2024-54197] Server-Side Request Forgery in SAP NetWeaver Administrator (System Overview) BC-JAS-ADM-MON | High | 7.2 |
| 3351041 | New | [CVE-2024-47582] XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA BC-CCM-SLD | Medium | 5.3 |
| 3524933 | New | [CVE-2024-32732] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform BI-BIP-SEC | Medium | 5.3 |
| 3536361 | New | [CVE-2024-47585] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-MID-UCO | Medium | 4.3 |
| 3515653 | New | Update 1 to Security Note 3433545: [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV | Medium | 4.3 |
| 3433545 | Update | [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV | Medium | 4.3 |
| 3522332 | New | [CVE-2024-47581] Missing Authorization check in SAP HCM (Approve Timesheets version 4) PA-FIO-TS | Medium | 4.3 |
| 3504847 | New | [CVE-2024-47576] DLL Hijacking vulnerability in SAP Product Lifecycle Costing PLM-PLC | Low | 3.3 |
| 3535451 | New | [CVE-2024-47577] Information Disclosure vulnerability in SAP Commerce Cloud CEC-SCC-COM-AS | Low | 2.7 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.
