Memory Corruption in SAP NetWeaver AS ABAP Internet Transaction Server
SAP NetWeaver AS ABAP (Internet Transaction Server)
CVSS 9.9 on a memory corruption vulnerability in a core NetWeaver component is the highest possible threat level for most SAP shops. ITS handles web-based SAP transactions and is often internet-facing. If you have not already patched, this is your weekend call.
Vulnerability Detail
A memory corruption vulnerability in the Internet Transaction Server (ITS) component of SAP NetWeaver AS ABAP allows a remote attacker to send specially crafted HTTP requests that corrupt memory, enabling arbitrary code execution. Successful exploitation compromises confidentiality, integrity, and availability of the affected system. The CVSS 9.9 score reflects broad version coverage and low exploit complexity.
Workaround
Restrict external access to ITS web endpoints using a WAF or reverse proxy. If ITS is not required, consider disabling it until the patch is applied.
Patch Action
Apply SAP Note 3747367 immediately. Verify affected versions in the official SAP Note. A system restart is required after patching.
Patch Info