SAP Security Notes, January 2025
Hot news note 3537476 patches a critical vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that enables attackers to exploit authentication weaknesses in the platform to compromise credentials in internal RFC communications and execute commands using the stolen credentials. The vulnerability carries a CVSS base score of 9.9/10. The attack vectors to exploit the vulnerability are relatively non-complex and do not require any privileges in target SAP systems. The solution requires the implementation of a kernel patch. There are no workarounds for the vulnerability.
Hot news note 3550708 addresses an equally high-risk information disclosure vulnerability in NetWeaver AS ABAP. Attackers can exploit insufficient authentication in the Internet Communication Framework (ICF) to access restricted information. This can have a significant impact on confidentiality, integrity, and availability. The root cause of the vulnerability is the inclusion of a testing utility in NetWeaver AS ABAP that was not intended for customer delivery. The solution included in the note disables the execution of transaction SA38 by the impacted programs. Access to transaction SA38 can be restricted as a workaround.
Note 3550816 deals with a high-risk SQL injection vulnerability in NetWeaver AS ABAP. Attackers can exploit vulnerable RFC functions to access Informix databases. The solution deactivates the vulnerable functions. A workaround can be implemented to mitigate the vulnerability by restricting access to the execution of remote-enabled function modules in function group SDBI. This can be performed using authorization object S_RFC.
Note 3474398 patches multiple vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ) Platform. This includes information disclosure that can lead to session hijacking, and code injection that can enable attackers to inject and execute malicious JavaScript code.
Note 3542533 resolves a DLL hijacking vulnerability in SAPSetup that could enable attackers to escalate privileges in Windows servers and compromise active directories. SAPSetup supports the installation, updating, and maintenance of SAP software in Microsoft Windows. The solution in the note fixes permissions for relevant temporary directories.