In its monthly security update, SAP addressed fifteen vulnerabilities, including four critical security flaws in NetWeaver and Commerce Cloud. Two issues in the NetWeaver platform stand out in particular due to their high risk score and potential impact on business environments.
According to BleepingComputer, the most serious vulnerability is located in the SAML authentication functions of SAP NetWeaver. Due to an error in the processing of digitally signed XML messages, attackers can submit manipulated identity data that the system considers legitimate. In an environment where SAML is used for access management, this can lead to unauthorized access to sensitive information.
In addition, SAP has addressed a vulnerability that could cause memory corruption within the ABAP Application Server. According to the vendor, an attacker could exploit this using specially crafted RFC requests. Notably, no prior authentication is required, making the barrier to abuse relatively low.
Commerce Cloud Also Affected
NetWeaver wasn’t the only focus of the June security roundup. SAP has also resolved a serious security issue in Commerce Cloud and Data Hub. This vulnerability affects the Spring Security component used in these products. Additionally, a vulnerability was fixed that could have allowed attackers to gain access to files outside the intended system directories of the Java-based NetWeaver Application Server via directory traversal.
In addition to these critical issues, SAP has addressed several other security vulnerabilities. These include flaws that enable SQL injections, cross-site scripting, email spoofing, and the bypassing of authorizations. Several security issues in Apache Tomcat that affect Commerce Cloud environments have also been resolved.
Priority for Administrators
SAP publishes the technical details of the vulnerabilities exclusively through its security portal for customers. As a result, it is not publicly known whether the vulnerabilities are already being actively exploited. However, the vendor emphasizes that organizations must install the available updates as soon as possible.
According to SAP, the SAML authentication vulnerability and the memory leak in the ABAP server in particular deserve immediate attention. Both issues received a very high CVSS score and affect components that play a central role in many SAP landscapes. For organizations that rely on NetWeaver as the foundation for their ERP and business processes, delaying patching can therefore entail significant risks.