Enterprise software maker SAP on Tuesday announced the release of nine new and four updated security notes as part of its December 2024 Security Patch Day.
Marked as ‘hot news’, the highest severity in SAP’s notebook, the first new security note addresses three vulnerabilities in NetWeaver AS for JAVA (Adobe Document Services), including a critical flaw that could lead to full system compromise.
The critical issue, tracked as CVE-2024-47578 (CVSS score of 9.1), affects the Adobe Document Service component of NetWeaver, which allows an attacker with administrative privileges to send a crafted request from a vulnerable web application.
“It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploitation, the attacker can read or modify any file and/or make the entire system unavailable,” a NIST advisory reads.
The remaining two security defects, CVE-2024-47579 and CVE-2024-47580, are medium-severity vulnerabilities that could be exploited to read files on the server. Both flaws require administrative access to be exploited.
On its December 2024 Security Patch Day, SAP also released a high-priority security note that addresses CVE-2024-54198, an authenticated information disclosure bug in NetWeaver, exploitable through manipulated Remote Function Call (RFC) requests.
“By crafting specially designed RFC requests to restricted destinations, malicious actors can gain unauthorized access to sensitive service credentials, which could then be leveraged to completely compromise the targeted remote service,” software security firm Onapsis explains.
SAP also published a security note that resolves a high-severity SSRF vulnerability in NetWeaver, and updated two November 2024 patch day high-priority notes dealing with a cross-site scripting (XSS) vulnerability in Web Dispatcher and with a NULL pointer dereference bug in NetWeaver.
Advertisement. Scroll to continue reading.
Of the remaining security notes, six (four new and two updated) resolve medium-severity bugs in NetWeaver, BusinessObjects, and HCM, and two deal with low-severity issues in Product Lifecycle Costing and Commerce Cloud.
SAP makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to apply the security notes as soon as possible.
Related: QNAP Patches Vulnerabilities Exploited at Pwn2Own
Related: PoC Exploit Published for Unpatched Mitel MiCollab Vulnerability
Related: Hacker Conversations: Alex Ionescu
Related: Legacy of Wisdom: Security Lessons Inspired by My Father