Summary
SAP releases December Security Patch Day that fixes several vulnerabilities, including 3 with “high” severity.
Risk
Estimate of vulnerability impact on the target community: HIGH/ORANGE (65.51/100)1.
Type
- Denial of Service
- Arbitrary File Write/Read
- Security Restrictions Bypass
- Information Disclosure
Affected Products and Versions
- NetWeaver AS for JAVA (Adobe Document Services), version ADSSSAP 7.50
- NetWeaver Application Server ABAP, versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93
- NetWeaver Administrator (System Overview), version LM-CORE 7.50
Mitigation Actions
In line with vendor statements, it is recommended to update vulnerable products following the indications of the security bulletin reported in the References section.
Unique Vulnerability Identifiers
The following are only CVEs for “High” severity vulnerabilities:
References
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2024.html
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
