SAP’s December 2024 security notes address several high-risk vulnerabilities, including a Hot News note for Adobe Document Services (ADS) in AS Java. This critical patch tackles multiple flaws, such as Server-Side Request Forgery (SSRF) and information disclosure, for which SAP has provided no workarounds, urging immediate updates.
This month’s security advisory outlines critical and high-risk vulnerabilities impacting SAP NetWeaver Application Server (AS) Java and ABAP, as well as SAP Web Dispatcher. The most critical is Hot News note 3536965, which resolves multiple vulnerabilities in Adobe Document Services, including SSRF. Other significant notes include patches for SSRF in the NetWeaver Administrator (3542543), a re-released note for a cross-site scripting (XSS) flaw in SAP Web Dispatcher (3520281), and an information disclosure vulnerability in AS ABAP (3469791). A denial-of-service risk in AS ABAP was also addressed (3504390). For several of these, SAP has provided workarounds, such as disabling a specific servlet or setting a profile parameter, to offer temporary mitigation if immediate patching is not feasible.
Key Takeaways from December 2024
- Hot News Note 3536965: Addresses multiple high-risk vulnerabilities in Adobe Document Services (ADS) on AS Java, including SSRF. No workarounds are available.
- SSRF Vulnerabilities: A key focus this month, with patches for ADS (3536965) and the NetWeaver Administrator (3542543).
- Re-released XSS Note: Note 3520281 for SAP Web Dispatcher was updated, with workarounds available if immediate patching isn’t possible.
- Information Disclosure in AS ABAP: Note 3469791 patches a vulnerability that could compromise RFC destination credentials.
- Denial of Service Risk: Note 3504390 fixes a NULL Pointer Dereference vulnerability in AS ABAP that could cause a system crash.
SAP Security Notes: December 2024 Summary
The table below summarizes the key vulnerabilities addressed by SAP in the December 2024 security patch release.
| Note Number | Vulnerability Type | Affected System(s) | Workaround Available? |
|---|---|---|---|
| 3536965 | SSRF, Information Disclosure | SAP NetWeaver AS Java (Adobe Document Services) | No |
| 3542543 | Server-Side Request Forgery (SSRF) | SAP NetWeaver AS Java (NetWeaver Administrator) | Yes |
| 3520281 | Cross-Site Scripting (XSS) | SAP Web Dispatcher | Yes |
| 3469791 | Information Disclosure | SAP NetWeaver AS ABAP | Yes |
| 3504390 | NULL Pointer Dereference (Denial of Service) | SAP NetWeaver AS ABAP | No |
What is the Hot News Note for December 2024?
Hot News note 3536965 is the most critical release this month, addressing multiple high-risk vulnerabilities in Adobe Document Services (ADS) running on SAP NetWeaver Application Server for JAVA (AS Java). The vulnerabilities include Server-Side Request Forgery (SSRF) and information disclosure. Due to the severity, SAP recommends updating ADS to the recommended patch levels immediately and has not provided any workarounds.
What other vulnerabilities were patched in AS Java?
In addition to the ADS vulnerabilities, note 3542543 patches a Server-Side Request Forgery (SSRF) vulnerability in the NetWeaver Administrator of AS Java. This issue is caused by insufficient authentication checks for a servlet. As a temporary mitigation, SAP has provided instructions in the note for disabling the vulnerable servlet.
What vulnerabilities were addressed in AS ABAP?
Two key vulnerabilities were addressed in SAP NetWeaver Application Server ABAP (AS ABAP). Note 3469791 patches an information disclosure vulnerability that could expose credentials for RFC destinations. This can be mitigated by setting the profile parameter rfc/dynamicdestapi_only to 1, which deactivates the legacy dynamic destination. Additionally, note 3504390 resolves a NULL Pointer Dereference (NPD) vulnerability that could be exploited by an attacker to cause a denial of service.
Was the SAP Web Dispatcher vulnerability updated?
Yes, note 3520281, which addresses a cross-site scripting (XSS) vulnerability in SAP Web Dispatcher, was re-released with updated information. The note includes several workarounds for organizations that cannot immediately upgrade their Web Dispatchers and Kernels to the recommended patch levels.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability for December 2024?
The most critical issue was detailed in Hot News note 3536965, which covers multiple high-risk vulnerabilities, including Server-Side Request Forgery (SSRF), in Adobe Document Services on SAP NetWeaver AS Java.
Are there workarounds for all patched vulnerabilities?
No. While SAP provided workarounds for the SSRF in NetWeaver Administrator (3542543), the XSS in Web Dispatcher (3520281), and the Information Disclosure in AS ABAP (3469791), there is no workaround for the critical ADS vulnerabilities (3536965) or the Denial of Service bug in AS ABAP (3504390).
What is a Server-Side Request Forgery (SSRF) vulnerability?
An SSRF vulnerability allows an attacker to induce a server-side application to make requests to an unintended location. In the context of SAP, this could allow an attacker to target internal systems that are normally inaccessible from the external network.