SAP Patch Day: March 2025
Three new High Priority Notes and one Important Best Practice CVSS 0.0 Note
Author: Thomas Fritsch
Highlights of March SAP Security Notes analysis include:
SAP has released twenty-five SAP Security Notes on its March Patch Day (including the notes that were released or updated since last Patch Tuesday) This includes five High Priority Notes.?
Two of the five High Priority Notes are updates on earlier released patches. SAP Security Note #3567974, tagged with a CVSS score of 8.1, was initially released on SAP’s February Patch Day and patches a vulnerability in SAP App Router. The ‘Symptom’ section of the note was updated and an FAQ note was added (#3571636).
SAP Security Note #3483344 was extended by corrections for additional affected software components. The note patches a critical Missing Authorization Check vulnerability in SAP PDCE that can lead to high impact on the application’s confidentiality.
The New High Priority Notes in Detail
SAP Security Note #3563927, tagged with a CVSS score of 8.8, affects a wide range of SAP customers. It addresses a critical vulnerability in transaction SA38 of an SAP NetWeaver Application Server ABAP that allows access to functionality of the Class Builder which should be restricted to the ABAP Development Workbench. Keeping unpatched, all applications are exposed at high risk with regard to their confidentiality, integrity, and availability.?
SAP Security Note #3569602, tagged with a CVSS score of 8.8, patches a Cross-Site Scripting(XSS) vulnerability in SAP Commerce, caused by the open source library swagger-ui. The explore feature of Swagger UI which was vulnerable to the DOM-based XSS attack, allows an unauthenticated attacker to inject malicious code from remote sources. A successful exploit can have a high negative impact on the confidentiality, integrity, and availability of the application. Fortunately, SAP points out that the exploit requires significant user interaction as it needs to convince a victim to place a malicious payload into an input field. As a workaround, customers can remove any use of swagger-ui in SAP Commerce or block the access to swagger consoles.
SAP Security Note #3566851, tagged with a CVSS score of 8.6, patches a Denial of Service (DOS) and an Unchecked Error Condition vulnerability in SAP Commerce Cloud. The application includes a version of Apache Tomcat that is vulnerable to CVE-2024-38286 and CVE-2024-52316. The note provides updates that include patched Tomcat versions.
About the CVSS 0.0 SAP Security Note
SAP Security #3576540, tagged with a CVSS score of 0.0 (no, it’s not a typo), provides best practice information about custom Java applications in SAP BTP implemented with the Spring Framework. For such applications, developers often use the Spring Boot Activator, a tool exposing various URL endpoints that offer real-time application data, aiding in debugging and monitoring. However, without proper security measures, these endpoints can introduce serious vulnerabilities. The note lists the affected endpoints in detail and describes detailed conditions for affected applications.
Summary & Conclusions
With twenty-five SAP Security Notes, including five High Priority Notes, SAP March Patch Day is again a busy one. It is the first Patch Day that comes with a CVSS 0.0 note. However, SAP BTP customers will agree that this note is a perfect example of not just looking at CVSS scores when it comes to prioritizing SAP Security Notes.
As always, the Onapsis Research Labs are already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to The Defenders Monthly on LinkedIn.
Originally published on Onapsis.com.