SAP NetWeaver Application Server Java TLS Hostname Verification Vulnerability

A vulnerability exists in the component responsible for outbound TLS connections in SAP NetWeaver Application Server Java. This vulnerability arises because the hostname used for the connection is not reliably matched against the wildcard hostname defined in the certificate received from the remote TLS server. As a result, an outbound connection could be established to a potentially malicious remote TLS server, leading to information disclosure. This issue affects several different versions and ranges.

Impact

Exploitation of this vulnerability could result in information disclosure by allowing connections to malicious remote TLS servers.

Remediation

Users are advised to review and implement the SAP Security Note related to this vulnerability. This can be done through the SAP for Me platform, where all security notes are available. For details on the next SAP Security Patch Day, refer to the SAP Security Patch Day calendar.