SAP’s January 2025 security notes address several critical and high-risk vulnerabilities, most notably in SAP NetWeaver Application Server ABAP (AS ABAP). The release includes a critical 9.9 CVSS score patch for an authentication flaw that could allow credential theft and a separate high-risk patch for information disclosure due to a testing utility left in the code.
The January 2025 SAP Security Notes release is headlined by two “Hot News” advisories for SAP NetWeaver AS ABAP. The most critical, Note 3537476, patches an authentication vulnerability with a 9.9 CVSS score that could allow attackers to compromise credentials in RFC communications and execute commands. This requires a kernel patch and has no workaround. A second “Hot News” item, Note 3550708, addresses a high-risk information disclosure flaw caused by an exposed testing utility. Other significant patches resolve a high-risk SQL injection vulnerability in NetWeaver AS ABAP (Note 3550816), multiple flaws in SAP BusinessObjects (Note 3474398), and a privilege escalation vulnerability in SAPSetup (Note 3542533). Administrators should prioritize the application of these patches, particularly the kernel update for the critical NetWeaver vulnerability.
Key Takeaways
- A critical authentication vulnerability in NetWeaver AS ABAP (Note 3537476) has a 9.9 CVSS score and requires a kernel patch.
- A high-risk information disclosure flaw in NetWeaver AS ABAB (Note 3550708) is due to an exposed testing utility.
- A high-risk SQL injection vulnerability (Note 3550816) affects NetWeaver AS ABAP connections to Informix databases.
- SAP BusinessObjects (BOBJ) received patches for information disclosure and code injection (Note 3474398).
- A DLL hijacking vulnerability in SAPSetup (Note 3542533) could lead to privilege escalation on Windows servers.
January 2025 Critical SAP Vulnerability Summary
The table below outlines the key vulnerabilities addressed in the January 2025 security notes.
| Note Number | Product | Vulnerability Type | CVSS Score | Workaround Available? |
|---|---|---|---|---|
| 3537476 | SAP NetWeaver AS ABAP | Credential Compromise | 9.9 | No |
| 3550708 | SAP NetWeaver AS ABAP | Information Disclosure | High | Yes |
| 3550816 | SAP NetWeaver AS ABAP | SQL Injection | High | Yes |
| 3474398 | SAP BusinessObjects (BOBJ) | Info Disclosure, Code Injection | N/A | No |
| 3542533 | SAPSetup | DLL Hijacking (Privilege Escalation) | N/A | No |
What is the Critical Vulnerability in NetWeaver AS ABAP (Note 3537476)?
Hot news note 3537476 patches a critical vulnerability in SAP NetWeaver Application Server ABAP with a CVSS score of 9.9. The flaw allows attackers to exploit authentication weaknesses to compromise credentials used in internal RFC communications. An attacker could then use these stolen credentials to execute commands. The attack is considered non-complex and requires no prior privileges. The only solution is to apply a kernel patch, as no workarounds are available.
How Does Note 3550708 Address Information Disclosure in NetWeaver?
Hot news note 3550708 resolves a high-risk information disclosure vulnerability in NetWeaver AS ABAP. The issue stems from a testing utility that was not intended for customer delivery but was included in the software, creating an insufficient authentication situation in the Internet Communication Framework (ICF). This could allow attackers to access restricted information, impacting confidentiality, integrity, and availability. The patch disables the execution of transaction SA38 by the affected programs, and restricting access to SA38 can serve as a temporary workaround.
What SQL Injection Risk is Mitigated by Note 3550816?
Note 3550816 addresses a high-risk SQL injection vulnerability in NetWeaver AS ABAP. Attackers could exploit vulnerable RFC functions to execute SQL commands on backend Informix databases. The solution provided by SAP deactivates the vulnerable functions. As a workaround, access to the remote-enabled function modules in the SDBI function group can be restricted using the S_RFC authorization object.
What Vulnerabilities Were Patched in SAP BusinessObjects (Note 3474398)?
Note 3474398 patches multiple vulnerabilities in the SAP BusinessObjects Business Intelligence (BOBJ) Platform. These include an information disclosure flaw that could lead to session hijacking and a code injection vulnerability that could allow an attacker to inject and execute malicious JavaScript code.
How Does Note 3542533 Prevent Privilege Escalation in SAPSetup?
Note 3542533 resolves a DLL hijacking vulnerability in SAPSetup, a tool used for installing SAP software on Microsoft Windows. An attacker could exploit this vulnerability to escalate privileges on Windows servers, potentially compromising active directories. The solution involves fixing incorrect permissions for temporary directories used by the application.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability in January 2025?
The most critical vulnerability was an authentication weakness in SAP NetWeaver AS ABAP, detailed in Hot News note 3537476. It carries a CVSS score of 9.9 and could allow attackers to compromise credentials and execute commands.
Are there workarounds for the critical NetWeaver vulnerabilities?
There is no workaround for the critical 9.9 CVSS vulnerability (Note 3537476); a kernel patch is required. For the information disclosure vulnerability (Note 3550708), restricting access to transaction SA38 can serve as a temporary mitigation.
What systems are affected by the January 2025 SAP notes?
The primary systems affected are SAP NetWeaver Application Server ABAP, SAP BusinessObjects Business Intelligence Platform, and SAPSetup on Windows. Specific notes address vulnerabilities related to RFC communications, the Internet Communication Framework, and connections to Informix databases.