CVE-2024-47578 (CVSS 9.1): SAP Issues Critical Patch for NetWeaver AS for JAVA

SAP’s latest Security Patch Day, released today, detailed 10 new Security Notes alongside updates to three previously released notes. Among the newly disclosed vulnerabilities, multiple critical and high-priority flaws demand immediate attention from organizations leveraging SAP solutions.

One of the most urgent issues, CVE-2024-47578, affects SAP NetWeaver AS for JAVA (Adobe Document Services). This vulnerability, combined with two related CVEs—CVE-2024-47579 and CVE-2024-47580—allows for severe exploitation risks. These flaws, rated with a CVSS score of 9.1, can lead to unauthorized actions with significant impacts on confidentiality, integrity, and availability. SAP recommends applying the corresponding patches immediately.

Another critical update addresses CVE-2024-47590, a Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher, affecting versions ranging from WEBDISP 7.77 to 9.13. With a CVSS score of 8.8, this flaw could allow attackers to inject malicious scripts into trusted web applications.

The list also includes CVE-2024-54198, an Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP, with a CVSS score of 8.5. Exploiting this flaw could provide unauthorized access to sensitive data through Remote Function Call (RFC).

One of the more important vulnerabilities, CVE-2024-54197, involves a Server-Side Request Forgery (SSRF) issue in SAP NetWeaver Administrator. With a CVSS score of 7.2, this flaw allows attackers to manipulate backend systems to send unauthorized requests, which can be particularly harmful in cloud environments.

SAP also highlighted a Missing Authorization Check in SAP HCM (CVE-2024-47581) and a DLL Hijacking Vulnerability in SAP Product Lifecycle Costing (CVE-2024-47576). Although these are rated as medium and low risks, they underscore the importance of consistent monitoring and patch management.

SAP strongly urges customers to address these vulnerabilities by applying the patches provided in the Security Notes. The company emphasized the importance of addressing critical and high-priority issues, particularly those affecting widely used platforms like SAP NetWeaver and SAP BusinessObjects.

Related Posts:

• A total of 10 Security in SAP was patched
• SAP Patches Critical BusinessObjects Vulnerability with October Security Updates
• SAP Patches Multiple Vulnerabilities in November 2024 Security Patch Day
• SAP, McAfee, Symantec is letting the Russia review their source code
• SAP Patches Critical Vulnerabilities in December Update