SAP Product Security Update Advisory

Overview

 

An update has been released to address vulnerabilities in SAP Products. Users of the affected versions are advised to update to the latest version.
 

 

Affected Products

 

CVE-2024-47578

• SAP NetWeaver AS for JAVA version: ADSSSAP 7.50

 

CVE-2024-47590

• SAP Web Dispatcher versions: WEBDISP 7.77, 7.89, 7.93
• SAP Web Dispatcher versions: KERNEL 7.77, 7.89, 7.93, 9.12, 9.13

 

CVE-2024-54198

• SAP NetWeaver Application Server ABAP versions: KRNL64NUC 7.22, 7.22EXT
• SAP NetWeaver Application Server ABAP versions: KRNL64UC 7.22, 7.22EXT, 7.53
• SAP NetWeaver Application Server ABAP version: KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93

 

CVE-2024-47586

• SAP NetWeaver Application Server for ABAP and ABAP Platform versions: Krnl64nuc 7.22, 7.22ext
• SAP NetWeaver Application Server for ABAP and ABAP Platform versions: Krnl64uc 7.22, 7.22ext, 7.53, 8.04
• SAP NetWeaver Application Server for ABAP and ABAP Platform versions: Kernel 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.12, 9.13

 

CVE-2024-54197

• SAP NetWeaver Administrator version: LM-CORE 7.50

 

 

Resolved Vulnerabilities

 

Vulnerability that could allow an attacker with administrator privileges to access internal systems via crafted requests to read or modify files or render the system unusable (CVE-2024-47578)

Vulnerability that could allow an XSS or SSRF attack via a website’s input data handling vulnerability if an authenticated user clicks a malicious link crafted by an unauthenticated attacker (CVE-2024-47590)

Vulnerability that could allow an authenticated attacker to expose the credentials of a restricted destination via an RFC request and exploit it to fully compromise a remote service (CVE-2024-54198)

A vulnerability that could allow an unauthenticated attacker to cause a null pointer dereference via a crafted HTTP request, resulting in a system crash, reboot, and temporary unavailability (CVE-2024-47586)

Vulnerability that could allow an authenticated attacker to enumerate HTTP endpoints on the internal network via a specially crafted HTTP request, resulting in an SSRF attack (CVE-2024-54197)

 

 

Vulnerability Patches

Vulnerability Patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-47578

• See Referenced Sites[2] for update

 

CVE-2024-47590

• See Referenced Sites[3] for update

 

CVE-2024-54198

• See Referenced Sites[4] for update

 

CVE-2024-47586

• See Referenced Sites[5] for update

 

CVE-2024-54197

• See Referenced Sites[6] for update

 

 

Referenced Sites

 

[1] SAP Security Patch Day – December 2024

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2024.html

[2] sap/3536965

https://me.sap.com/notes/3536965

[3] sap/3520281

https://me.sap.com/notes/3520281

[4] sap/3469791

https://me.sap.com/notes/3469791

[5] sap/3504390

https://me.sap.com/notes/3504390

[6] sap/3542543

https://me.sap.com/notes/3542543