SAP セキュリティパッチデー 2025 年 7 月
このページでは、SAP 製品で発見された脆弱性を改善するセキュリティノートに関する情報を共有しています。SAP は、Support Portal にアクセスし SAP ランドスケープを保護するために優先的にパッチを適用することを強くお奨めします。
2025 年 7 月 8 日に、SAP セキュリティパッチデーに 27 の新しいセキュリティノートがリリースされました。さらに、以前にリリースされたセキュリティノートに対する 4 つの更新がありました。
Note# | Title | Priority | CVSS |
|---|---|---|---|
Update to Security Note released on May 2025 Patch Day: [CVE-2025-30012] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) Product – SAP Supplier Relationship Management (Live Auction Cockpit) | Critical | ||
[CVE-2025-42967] Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation) | Critical | ||
[CVE-2025-42980] Insecure Deserialization in SAP NetWeaver Enterprise Portal Federated Portal Network | Critical | ||
[CVE-2025-42964] Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration Product – SAP NetWeaver Enterprise Portal Administration Version – EP-RUNTIME 7.50 | Critical | ||
[CVE-2025-42966] Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service) | Critical | ||
[CVE-2025-42963] Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer ) | Critical | ||
[CVE-2025-42959] Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476 | High | ||
[CVE-2025-42953] Missing Authorization check in SAP NetWeaver Application Server for ABAP Product – SAP NetWeaver Application Server for ABAP | High | ||
[CVE-2024-53677] Insecure File Operations vulnerability in SAP Business Objects Business Intelligence Platform (CMC) Product- SAP Business Objects Business Intelligence Platform (CMC) Version – ENTERPRISE 430, 2025 | High | ||
[CVE-2025-42952] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis Product – SAP Business Warehouse and SAP Plug-In Basis | High | ||
Update to Security Note released on June 2025 Patch Day: Product – SAP NetWeaver Visual Composer | High | ||
[CVE-2025-43001] Multiple Privilege Escalation Vulnerabilities in SAPCAR CVEs - CVE-2025-42992 Product – SAPCAR | Medium | ||
Update to Security Note released on June 2025 Patch Day: | Medium | ||
Update to Security Note released on May 2025 Patch Day: | Medium | ||
[CVE-2025-42981] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP CVE - CVE-2025-42956 | Medium | ||
[CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Product- SAP NetWeaver Application Server ABAP and ABAP Platform | Medium | ||
[CVE-2025-42962] Cross-Site Scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web 3.5 loading animation) | Medium | ||
[CVE-2025-42985] Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench | Medium | ||
[CVE-2025-42970] Directory Traversal vulnerability in SAPCAR | Medium | ||
[CVE-2025-42979] Insecure Key & Secret Management vulnerability in SAP GUI for Windows Versions - BC-FES-GUI 8.00 | Medium | ||
[CVE-2025-42973] Cross-Site Scripting (XSS) vulnerability in SAP Data Services (DQ Report) | Medium | ||
[CVE-2025-42968] Missing Authorization check in SAP NetWeaver (RFC enabled function module) | Medium | ||
[CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP | Medium | ||
[CVE-2025-42960] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA BEx Tools | Medium | ||
[CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform | Medium | ||
[CVE-2025-42974] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN) | Medium | ||
[CVE-2025-31326] HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) | Medium | ||
[CVE-2025-42965] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application | Medium | ||
[CVE-2025-42971] Memory Corruption vulnerability in SAPCAR | Medium | ||
[CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java | Low | ||
[CVE-2025-42954] Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application) | Low |
月次で計画されているパッチデー後に、新たに 1 つのセキュリティノートがリリースされました。さらに、以前にリリースされた 6 つのセキュリティノートが更新されました。
Update to Security Note released on July 2025 Patch Day: [CVE-2025-42966] Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service) | Critical | ||
Update to Security Note released on July 2025 Patch Day: [CVE-2025-42959] Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476 | High | ||
Update to Security Note released on July 2025 Patch Day: [CVE-2025-42981] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP CVE - CVE-2025-42956 | Medium | ||
Update to Security Note released on July 2025 Patch Day: [CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Product- SAP NetWeaver Application Server ABAP and ABAP Platform | Medium | ||
Update to Security Note released on May 2025 Patch Day: [CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal | Medium | ||
[CVE-2025-42947] Code Injection vulnerability in SAP FICA ODN framework | Medium |
| |
Update to Security Note released on July 2025 Patch Day: [CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java | Low |
今月のセキュリティパッチを提供してきたセキュリティ研究者や調査会社の詳細については、こちらをご覧ください。
SAP は、信頼できる製品とクラウドサービスの提供に尽力しています。安全な運用とデータの完全性を確保するには、安全な設定が不可欠です。そのため、SAP ポートフォリオに最適なセキュリティを設定できるように、この文書に統合されたセキュリティ推奨事項が文書化されています。
過去のアーカイブブログは、こちらからご覧いただけます。
このページに関するコメントまたはフィードバックがある場合は secure@sap.com 宛にご連絡ください。(お問い合わせは英語でお願いいたします。)