SAP Warns of High-Severity Web Dispatcher Flaw

SAP has released fixes for eight new security flaws, including a high-severity flaw in SAP Web Dispatcher, its component that works between the browser and the SAP system running the web application, which forwards all incoming requests to the SAP system application server.

Key Details:

• The most severe flaw in SAP’s set of November patches is a high-severity cross-site scripting flaw (CVE-2024-47590) in SAP Web Dispatcher, which ranks 8.8 out of 10 on the CVSS scale

• The flaw, which stems from incomplete filtering of special elements, could enable attackers to execute arbitrary code on servers

• An unauthenticated attacker could exploit the flaw by creating malicious links and persuading an authenticated victim to click on the link. If that happened, “input data will be used by the web site page generation to create content which when executed in the victim's browser (XXS) or transmitted to another server (SSRF)” 

• The flaw only impacts those who have enabled the Admin UI of SAP Web Dispatcher, according to Onapsis researchers

The Big Picture: SAP did not say whether these flaws are being targeted by attackers, but vulnerabilities in SAP products have previously been exploited in attacks.

In addition to the high-severity flaw, SAP also fixed several other medium-severity vulnerabilities. These include a missing authorization check (CVE-2024-42372) and information disclosure bug (CVE-2024-47592) in SAP NetWeaver AS Java, a local privilege escalation bug in SAP Host Agent (CVE-2024-47595), and an information disclosure issue in the software update manager component of SAP NetWeaver Java (CVE-2024-47588). Additionally, an information disclosure flaw (CVE-2024-47593) and a NULL Pointer Dereference bug were patched in the SAP NetWeaver Application Server for ABAP and ABAP Platform (CVE-2024-47586).

SAP also included updates for two security flaws it had previously patched, including a high-severity missing authorization check (CVE-2024-39592) in SAP PDCE, which had been fixed in July. According to Onapsis researchers, in the update note a patch was added for software component SEM-BW 600. 

Vendor Response: SAP has released patches for these flaws as part of its regularly scheduled updates. For CVE-2024-47590, SAP said versions WEBDISP 7.77, 7.89, and 7.93, and KERNEL 7.77, 7.89, 7.93, 9.12, and 9.13 are impacted.

According to Onapsis, in addition to patches for the high-severity flaw, SAP provided several temporary workarounds, including the options to disable the Admin UI (through file deletion or profile parameter changes) or to remove the administrative role from all users.