cancel
Showing results for 
Search instead for 
Did you mean: 

Is the system still vulnerable without using HTTP or the SAP Note 3537476 must to be applied?

SAPSupport
Employee
Employee
0 Kudos
456

HI Team , 

 

SAP Has released one SAP Security Note 3537476 - [CVE-2025-0070] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform of Very High Priority but details are not clear to us for assessment to find the impact.

SAP Note mention that "A malicious user is able to steal credentials from an internal RFC communication between server A (HTTP client) and server B (serving the request) of the same system" of HTTP Call. 

 

So our understanding is that if we have any HTTP RFC Destination from ABAP to ABAP system then only this Note is applicable. ABAP to ABAP HTTP Connection could be either for self system or for other ABAP system. I am asking this query because in our Landscape we don't have any HTTP ABAP RFC Destination created for ABAP to ABAP system, so is our system impacted or not of the above Security Note mention. Kindly Help.


------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.
View Entire Topic
SAPSupport
Employee
Employee
0 Kudos

Hello,

We discussed with development team and we have the following: as the note is not related to data transfer, does not make difference if you are using HTTP or HTTPS.

About the 'http/intticket/mode' parameter, as per SAP Note 3549556 - FAQ 3537476 / Error Create failed during internal communication, set the parameter to '0' is only in emergency cases, and "In case note 3007182 is not implemented and http/intticket/mode = 0, the system is vulnerable."

Our recommendation is to implement the necessary Kernel corrections to address this issue.