-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day – December 2024
This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.
On 10th of December 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 3 updates to previously released Security Notes.
Note# | Title | Priority | CVSS |
|---|---|---|---|
[CVE-2024-47578] Multiple vulnerabilities in SAP NetWeaver AS for JAVA (Adobe Document Services) Additional CVE - CVE-2024-47579, CVE-2024-47580 Product- SAP NetWeaver AS for JAVA (Adobe Document Services), Versions – ADSSSAP 7.50 | Hot News | ||
Update to Security Note released on November 2024 Patch Day: [CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher Product- SAP Web Dispatcher, Versions – WEBDISP 7.77, 7.89, 7.93, KERNEL 7.77, 7.89, 7.93, 9.12, 9.13 | High | ||
[CVE-2024-54198] Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP Product – SAP NetWeaver Application Server ABAP, Version – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93 | High | ||
Update to Security Note released on November 2024 Patch Day: [CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.12, 9.13 | High | ||
[CVE-2024-54197] Server-Side Request Forgery in SAP NetWeaver Administrator (System Overview) Product- SAP NetWeaver Administrator (System Overview), Version – LM-CORE 7.50 | High | ||
[CVE-2024-47582] XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA | Medium | ||
[CVE-2024-32732] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform Product- SAP BusinessObjects Business Intelligence platform, Versions – ENTERPRISE 430, 2025 | Medium | ||
[CVE-2024-47585] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – SAP_BASIS 740, SAP_BASIS 750 | Medium | ||
Update 1 to Security Note 3433545: [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform Additional CVE - CVE-2024-28166, CVE-2024-41731 Product- SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 430, 2025 | Medium | ||
Update to Security Note released on August 2024 Patch Day: [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform Additional CVE - CVE-2024-28166, CVE-2024-41731 Product- SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 430, 2025 | Medium | ||
[CVE-2024-47581] Missing Authorization check in SAP HCM (Approve Timesheets version 4) Product- SAP HCM, Version – S4HCMGXX 101 | Medium | ||
[CVE-2024-47576] DLL Hijacking vulnerability in SAP Product Lifecycle Costing | Low | ||
[CVE-2024-47577] Information Disclosure vulnerability in SAP Commerce Cloud | Low |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.
SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.