Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN240

_____________________________________________________________________

DATE                : 17/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP products.

=====================================================================
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
_____________________________________________________________________

SAP Security Patch Day - April 2025

This post shares the information on Security Notes that remediate
vulnerabilities discovered in SAP products. SAP strongly recommends
that the customer visits the Support Portal and applies patches on
priority to protect their SAP landscape.

On 8th of April 2025, SAP Security Patch Day saw the release of 18
new Security Notes. Further, there were 2 updates to previously
released Security Notes.

 

Note#     Title     Priority     CVSS      

3581961    [CVE-2025-27429] Code Injection Vulnerability in SAP
S/4HANA (Private Cloud)
Product - SAP S/4HANA (Private Cloud), Versions - S4CORE 102,
103, 104, 105, 106, 107, 108
Critical            9.9

3587115    [CVE-2025-31330] Code Injection Vulnerability in SAP
Landscape Transformation (Analysis Platform)
Product - SAP Landscape Transformation (Analysis Platform),
Versions - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731
Critical           9.9

3572688    [CVE-2025-30016] Authentication Bypass Vulnerability in
SAP Financial Consolidation
Product - SAP Financial Consolidation, Version - FINANCE 1010
Critical         9.8

3525794    Update to Security Note released on February 2025
Patch Day:
[CVE-2025-0064] Improper Authorization in SAP BusinessObjects
Business Intelligence platform
Product -  SAP BusinessObjects Business Intelligence platform
(Central Management Console), Versions - ENTERPRISE 430, 2025
High           8.8

3554667   [CVE-2025-23186] Mixed Dynamic RFC Destination
vulnerability through Remote Function Call (RFC) in SAP
NetWeaver Application Server ABAP
Product - SAP NetWeaver Application Server ABAP, Versions -
KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53,
KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93
High         8.5

3590984  [CVE-2024-56337] Time-of-check Time-of-use (TOCTOU)
Race Condition vulnerability in Apache Tomcat within
SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - HY_COM 2205,
COM_CLOUD 2211
High         8.1

2927164  [CVE-2025-30014] Directory Traversal vulnerability in
SAP Capital Yield Tax Management
Product - SAP Capital Yield Tax Management, Versions -
CYTERP 420_700, CYT 800, IBS 7.0, CYT4HANA 100
High         7.7

3581811  [CVE-2025-27428] Directory Traversal vulnerability in
SAP NetWeaver and ABAP Platform (Service Data Collection)
Product - SAP NetWeaver and ABAP Platform (Service Data
Collection), Versions - ST-PI 2008_1_700, 2008_1_710, 740
High         7.7

3543274 [CVE-2025-26654] Potential information disclosure
vulnerability in SAP Commerce Cloud (Public Cloud)
Product - SAP Commerce Cloud (Public Cloud), Version -
COM_CLOUD 2211
Medium       6.8

3571093 [CVE-2025-30013] Code Injection vulnerability in
SAP ERP BW Business Content
Product - SAP ERP BW Business Content, Versions - BI_CONT
707, 737, 747, 757
Medium       6.7

3565751  [CVE-2025-31332] Insecure File permissions vulnerability
in SAP BusinessObjects Business Intelligence Platform
Product - SAP BusinessObjects Business Intelligence Platform,
Version - ENTERPRISE 430
Medium       6.6

3568307  [CVE-2025-26657] Information Disclosure vulnerability
in SAP KMC WPC
Product - SAP KMC WPC, Version - KMC-WPC 7.50
Medium       5.3

3559307  [CVE-2025-26653] Cross-Site Scripting (XSS) vulnerability
in SAP NetWeaver Application Server ABAP (applications based on
SAP GUI for HTML)
Product - SAP NetWeaver Application Server ABAP (applications based
on SAP GUI for HTML), Versions - KRNL64NUC 7.22, 7.22EXT,
KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89,
7.93, 9.14
Medium       4.7

3558864  [CVE-2025-30017] Missing Authorization check in SAP
Solution Manager
Product - SAP Solution Manager, Versions - ST 720, SAP_BASIS 700,
SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740,
SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753,
SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757,
SAP_BASIS 758, SAP_BASIS 914
Medium       4.4

3525971  [CVE-2025-31333] Odata meta-data tampering in SAP
S4CORE entity
Product - SAP S4CORE entity, Versions - S4CORE 107, 108
Medium       4.3

3568778  [CVE-2025-27437] Missing Authorization check in SAP
NetWeaver Application Server ABAP (Virus Scan Interface)
Product - SAP NetWeaver Application Server ABAP (Virus Scan
Interface), Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS
702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751,
SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755,
SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758
Medium       4.3

3577131  [CVE-2025-31331] Authorization Bypass vulnerability in
SAP NetWeaver
Product - SAP NetWeaver, Versions - SAP_ABA 700, 701, 702,
731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I
Medium       4.3

3539465  [CVE-2025-27435] Information Disclosure Vulnerability
in SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - HY_COM 2205,
COM_CLOUD 2211
Medium       4.2

3565944  [CVE-2025-30015] Memory Corruption vulnerability in SAP
NetWeaver and ABAP Platform (Application Server ABAP)
Product - SAP NetWeaver and ABAP Platform (Application Server
ABAP), Versions - KRNL64UC 7.53, KERNEL 7.53, 7.54
Medium       4.1

3561861  Update to Security Note released on March 2025 Patch
Day:
[CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP
CRM and SAP S/4 HANA (Interaction Center)
Product -  SAP CRM and SAP S/4HANA (Interaction Center),
Versions - S4CRM 100, 200, 204, 205, 206, S4FND 102, 103, 104,
105, 106, 107, 108, S4CEXT 107, 108, BBPCRM 701, 702, 712,
713, 714, WEBCUIF 701, 731, 746, 747, 748, 800, 801
Low          3.5

To know more about the security researchers and research companies
who have contributed for security patches of this month, visit
here.
SAP is committed to delivering trustworthy products and cloud
services. Secure configuration is essential to ensuring secure
operation and data integrity. We have therefore documented
security recommendations that are consolidated in this document
to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can
write to secure@sap.com.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================