On December 9, SAP released 14 new security notes as part of its monthly SAP Security Patch Day. SAP rated three of the security patches as critical priority, while five are high priority and the remainder are medium priority.
SAP advises customers to review the Security Notes in its Support Portal and implement the relevant patches based on their assigned priority.
The Three Critical Priority Patches
SAP assigned a critical priority to the following security notes based on the Common Vulnerability Scoring System (CVSS):
- Note# 3685270, Code Injection vulnerability in SAP Solution Manager, received a 9.9 out of 10.0 CVSS rating.
- Note# 3683579, Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Related CVE, received a 9.6 CVSS rating.
- Note# 3685286, Deserialization Vulnerability in SAP jConnect – SDK for ASE, received a 9.1 CVSS rating.
According to CVE, the code-injection flaw in SAP Solution Manager could allow an authenticated attacker to “insert malicious code when calling a remote-enabled function module.” A successful exploit would grant the attacker “full control of the system.”
“Given the central role of SAP Solution Manager in the SAP system landscape, we strongly recommend a timely patch,” wrote Thomas Fritsch, SAP security researcher at Onapsis.
CVE reported that the vulnerabilities for Apache Tomcat in SAP Commerce Cloud made it possible for an attacker to manipulate the console or clipboard on Windows systems. A successful attack could trick an administrator into executing a command.
Gert-Jan Koster, SAP Security specialist at SecurityBridge, commented, “There’s no workaround and the score reflects broad [confidentiality, integrity, and availability] impact.”
The deserialization vulnerability for SAP jConnect, meanwhile, allowed a high-privileged attacker to trigger remote code execution. CVE stated that the system became vulnerable when specially crafted input was used to exploit the flaw.
Fritsch said Onapsis exploited the vulnerability, noting that the only reason the vulnerability did not receive a 10.0 CVSS rating was because an exploit requires high level of privileges.
What This Means for ERP insiders
Patch central systems promptly. SAP Solution Manager anchors many administrative landscapes, coordinating key monitoring, maintenance, and lifecycle processes. The 9.9 code-injection vulnerability highlights why attention to this system is essential, as a weakness in one function could affect broader system operations. Timely remediation will help maintain stable administration and consistent performance.
Embedded services merit periodic review. The Apache Tomcat fixes in SAP Commerce Cloud show how supporting components can introduce vulnerabilities that affect consoles or administrative workflows, particularly in mixed operating-system environments. Regular assessments help ensure updates are applied consistently and that dependent elements stay aligned with current security expectations.
Integration layers need careful oversight. The jConnect update underscores how high-privilege interfaces depend on consistent input handling, even when they operate normally across applications and connection paths. These layers often serve as trusted intermediaries, making it important to keep them aligned with current safeguards. Routine patching helps maintain more predictable performance across connected systems.
