Notas de Seguridad SAP, Octubre 2025

El detalle completo de las notas más relevantes es el siguiente (en inglés):

1. Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4) (update) (3634501): Due to a deserialization vulnerability in SAP NetWeaver (RMI-P4), an unauthenticated attacker could exploit the system by sending malicious payloads to an open port, potentially leading to arbitrary OS command execution and a full compromise of confidentiality, integrity, and availability. The issue has been fixed by updating the affected P4-Lib component to enforce secure deserialization handling and restrict untrusted Java objects via the RMI-P4 module. SAP recommends implementing the patches listed in the “Support Packages & Patches” section and ensuring the Java Virtual Machine version is higher than Java 8u121 (refer to Note 2695197), while also reviewing Note 1974464 to avoid incompatibilities. For additional information, see Note 3637718 and, for further hardening, apply Note 3660659. If patching is not immediately possible, a temporary workaround involves isolating the system at the network level so that P4 and P4S ports are not accessible from insecure networks, ensuring these ports are reachable only from trusted systems through firewall rules or IP filtering. Once the patch is applied, the workaround can be rolled back. CVSS v3 Base Score 10/ 10 [CVE-2025-42944]
2. Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java (3660659): SAP NetWeaver AS Java is vulnerable to remote code execution due to insecure deserialization of JDK and third-party classes, where specially crafted input could be deserialized by the AS Java runtime. Although no new CVE was issued, this advisory serves as a hardening measure linked to [CVE-2025-42944] with a CVSS score of 10.0 (Critical). The issue is resolved by blocking vulnerable JDK and third-party classes through a configuration-based patch that prevents insecure deserialization and enhances security for systems affected by the RMI/P4 vulnerability (SAP Note 3634501). To apply the fix, ensure a Java Virtual Machine version higher than Java 8u121 is installed (per KBA 2695197), and that the ‘bootstrap.properties' file includes the property ‘element.resynch=DETECT' (SAP Note 710663). SAP also recommends checking Note 1974464 for compatibility guidance before applying the update. For more information, refer to FAQ KBA 3663688. A workaround may be considered depending on system applicability, though applying the patch remains the recommended permanent solution. CVSS v3 Base Score 10/ 10 [CVE-2025-42944]
3. Directory Traversal vulnerability in SAP Print Service (3630595): SAP Print Service (SAPSprint) is affected by a path traversal vulnerability due to insufficient validation of user-provided path information. An unauthenticated attacker could exploit this flaw to traverse directories and overwrite system files, leading to a high impact on the confidentiality, integrity, and availability of the application (CVE-2025-42937). The issue has been resolved by introducing proper validation of path inputs within SAPSprint. Users are advised to implement the patches listed in the “Support Packages & Patches” section of this SAP Security Note. For further details, refer to FAQ Note 3636888. No workaround is available for this vulnerability. CVSS v3 Base Score 9,8/ 10 [CVE-2025-42937]
4. Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management (3647332): SAP Supplier Relationship Management is affected by an unrestricted file upload vulnerability caused by missing verification of file type or content. An authenticated attacker could exploit this flaw to upload arbitrary files, including executables that might be downloaded and executed by users, potentially leading to malware infections. Successful exploitation could result in a high impact on the confidentiality, integrity, and availability of the application (CVE-2025-42910). The issue has been resolved by implementing proper validation of MIME types and file extensions. Users should apply the Correction Instructions or Support Packages referenced in this SAP Security Note. No workaround is available. CVSS v3 Base Score 9,0/ 10 [CVE-2025-42910]
5. Denial of service (DOS) in SAP Commerce Cloud (Search and Navigation) (3664466): SAP Commerce Cloud Search and Navigation is vulnerable to a denial-of-service (DoS) attack caused by a flaw in the HTTP/2 protocol within the Jetty library. A malicious client could send crafted requests that force the server to reset streams repeatedly, consuming excessive resources and leading to service disruption. This issue has a high impact on availability but does not affect confidentiality or integrity (CVE-2025-5115). The vulnerability is resolved by upgrading the Jetty http2-common library to the latest version, included in SAP Commerce Cloud Patch Releases 2211-jdk21.2, 2211.45, and 2205.43. Customers should install these or later patches, rebuild, and redeploy their SAP Commerce environments according to the deployment instructions provided in the SAP Support Portal. CVSS v3 Base Score 7,5/ 10 [CVE-2025-5115]
6. Security Misconfiguration vulnerability in SAP Data Hub Integration Suite (3658838): SAP Datahub Suite is affected by a vulnerability due to the use of Apache CXF 3.5.1 libraries with JMS/JNDI configurations, allowing an unauthenticated attacker to inject malicious RMI/LDAP endpoints (CVE-2025-48913). This could result in remote code execution, leading to a high impact on the confidentiality, integrity, and availability of the application. The issue is resolved by upgrading Apache CXF to version 3.6.8, which includes secure versions of multiple CXF components such as cxf-core, cxf-rt-bindings-soap, and cxf-rt-frontend-jaxws. Customers are advised to apply the SAP Commerce Integration Extension Pack Patch Release 2205.17, which contains the updated, non-vulnerable libraries. CVSS v3 Base Score 7,1/ 10 [CVE-2025-48913]