SAP’s February 2025 Security Patch Day addressed several high-priority vulnerabilities across its product portfolio. The updates include patches for a high-risk cross-site scripting (XSS) flaw in SAP NetWeaver AS Java, an information disclosure vulnerability in SAP BusinessObjects, a path traversal issue in SAP Supplier Relationship Management, and an open redirect vulnerability in SAP HANA.
The most significant update involves SAP Note 3417627, which was re-released to address a Cross-Site Scripting (XSS) vulnerability in the User Admin application of SAP NetWeaver AS Java. This flaw allows an unauthenticated attacker to craft malicious links that, when clicked, execute scripts in the victim’s browser, potentially leading to unauthorized data access or modification. A new note, 3557138, is now required to patch the vulnerability completely. Another high-priority issue, detailed in SAP Note 3525794, concerns an information disclosure vulnerability in the SAP BusinessObjects Business Intelligence platform. This flaw could allow an administrator to retrieve a secret passphrase and impersonate any user. The month’s patches also resolved a path traversal vulnerability in SAP Supplier Relationship Management (Note 3567551) that allowed for arbitrary file downloads, and an open redirect vulnerability in SAP HANA’s UAA service (Note 3563929) that could lead to phishing attacks. Applying these patches promptly is crucial for securing SAP landscapes.
Key Takeaways
- A high-risk Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java was patched.
- An information disclosure flaw in SAP BusinessObjects allowing user impersonation was fixed.
- A path traversal vulnerability in SAP Supplier Relationship Management was resolved.
- An open redirect vulnerability in SAP HANA extended application services was addressed.
- Multiple high-priority notes were released, requiring immediate attention from administrators.
February 2025 SAP Security Notes Summary
| SAP Note | Vulnerability Type | Affected Product | Impact |
|---|---|---|---|
| 3417627 / 3557138 | Cross-Site Scripting (XSS) | SAP NetWeaver AS Java | Allows unauthenticated attackers to execute malicious scripts, leading to potential unauthorized access. |
| 3525794 | Information Disclosure | SAP BusinessObjects BI Platform | Enables administrators to retrieve a secret passphrase and impersonate any user. |
| 3567551 | Path Traversal | SAP Supplier Relationship Management | Allows unauthenticated attackers to download arbitrary files from the system. |
| 3563929 | Open Redirect | SAP HANA XS Advanced Model | Enables attackers to redirect users to malicious websites for phishing attacks. |
What Was the High-Risk Vulnerability in SAP NetWeaver AS Java?
SAP Notes 3417627 and 3557138 address a high-risk cross-site scripting (XSS) vulnerability in the User Admin application of SAP NetWeaver AS Java. The flaw is due to insufficient input validation and improper encoding, which allows an unauthenticated attacker to create malicious links. When a victim clicks the link, a malicious script runs in their browser, which could lead to unauthorized access and modification of sensitive information. Note 3417627 was an update, and the new Note 3557138 is now required for a complete fix.
How Did SAP Address the Information Disclosure in BusinessObjects?
SAP Note 3525794 resolves an information disclosure vulnerability within the Central Management Console of the SAP BusinessObjects Business Intelligence platform. The vulnerability allowed attackers with administrative rights to generate or retrieve a secret passphrase, which would enable them to impersonate any user in the system. The correction implemented in the note removes the ability for administrators to access these passphrases, mitigating the risk of user impersonation.
What Was the Path Traversal Flaw in SAP Supplier Relationship Management?
SAP Note 3567551 fixes a path traversal vulnerability in the Master Data Management Catalog of SAP Supplier Relationship Management. This vulnerability allowed an unauthenticated attacker to download arbitrary files from the remote system by manipulating the input URL path. The correction sanitizes the URL path to prevent attackers from accessing or downloading files outside of the intended directory.
What Open Redirect Vulnerability Was Patched in SAP HANA?
SAP Note 3563929 patches an Open Redirect vulnerability in the User Account and Authentication (UAA) service for SAP HANA extended application services, advanced model. Due to insufficient validation of redirect URLs, an unauthenticated attacker could craft a malicious link. If a victim clicks this link, their browser is redirected to a malicious site, which could be used for phishing attacks to steal credentials or other sensitive data. The patch applies proper validation to redirect URLs to prevent this exploitation.
Frequently Asked Questions (FAQ)
What was the most critical vulnerability in the February 2025 SAP Security Notes?
The update to Note 3417627, addressing a high-risk Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java, was one of the most critical, with a CVSS score of 8.8. It allows unauthenticated attackers to potentially access or modify sensitive information.
How was the information disclosure vulnerability in SAP BusinessObjects addressed?
The correction for Note 3525794 removes the ability of administrators to access the secret passphrase that could be used to impersonate other users, effectively closing the security gap.
What is a path traversal vulnerability?
A path traversal vulnerability, like the one fixed by Note 3567551, allows an attacker to read files on a server that are outside of the web root directory. They exploit this by manipulating file paths with sequences like “../” to navigate the server’s file system.