December 10, 2024 at 08:57AM
SAP released nine new and four updated security notes on December 2024 Security Patch Day, addressing critical vulnerabilities in NetWeaver AS for Java. Notably, CVE-2024-47578 poses a significant risk of complete system compromise. Users are urged to implement the security updates promptly, although there are no known active exploits.
### Meeting Takeaways: SAP December 2024 Security Patch Update
1. **Release Overview**:
– SAP announced the release of **nine new** and **four updated** security notes as part of its **December 2024 Security Patch Day**.
2. **Critical Vulnerabilities**:
– **CVE-2024-47578**: A critical flaw in **NetWeaver AS for JAVA (Adobe Document Services)**, with a CVSS score of **9.1**, allowing full system compromise via crafted requests from vulnerable applications.
– **Implications**: This vulnerability can lead to Server-Side Request Forgery (SSRF), potentially enabling attackers to modify files or render the system unavailable.
3. **Medium-Severity Vulnerabilities**:
– **CVE-2024-47579** and **CVE-2024-47580**: Both are medium-severity vulnerabilities allowing file read access on the server, requiring administrative access to exploit.
4. **High-Priority Vulnerability**:
– **CVE-2024-54198**: An authenticated information disclosure vulnerability in **NetWeaver**, which can be exploited through crafted RFC requests to access sensitive service credentials.
5. **Additional Security Notes**:
– A high-severity SSRF vulnerability in NetWeaver has been addressed.
– Two updated high-priority notes from November 2024 relate to:
– A cross-site scripting (XSS) vulnerability in Web Dispatcher.
– A NULL pointer dereference bug in NetWeaver.
– Six new (four) and updated (two) medium-severity bugs impact **NetWeaver**, **BusinessObjects**, and **HCM**.
– Two low-severity issues addressed relate to **Product Lifecycle Costing** and **Commerce Cloud**.
6. **Recommendations**:
– Users are strongly advised to apply the security notes promptly, despite no active exploitation of these vulnerabilities being reported in the wild.
### Conclusion:
SAP’s December 2024 update addresses critical vulnerabilities that could significantly impact system security. Immediate action is recommended for users to mitigate risks associated with these vulnerabilities.