3 weeks ago
HI Team ,
SAP Has released one SAP Security Note 3537476 - [CVE-2025-0070] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform of Very High Priority but details are not clear to us for assessment to find the impact.
SAP Note mention that "A malicious user is able to steal credentials from an internal RFC communication between server A (HTTP client) and server B (serving the request) of the same system" of HTTP Call.
So our understanding is that if we have any HTTP RFC Destination from ABAP to ABAP system then only this Note is applicable. ABAP to ABAP HTTP Connection could be either for self system or for other ABAP system. I am asking this query because in our Landscape we don't have any HTTP ABAP RFC Destination created for ABAP to ABAP system, so is our system impacted or not of the above Security Note mention. Kindly Help.
Request clarification before answering.
Hello,
We discussed with development team and we have the following: as the note is not related to data transfer, does not make difference if you are using HTTP or HTTPS.
About the 'http/intticket/mode' parameter, as per SAP Note 3549556 - FAQ 3537476 / Error Create failed during internal communication, set the parameter to '0' is only in emergency cases, and "In case note 3007182 is not implemented and http/intticket/mode = 0, the system is vulnerable."
Our recommendation is to implement the necessary Kernel corrections to address this issue.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
114 | |
10 | |
7 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.