Advisory
A note with CVSS 3.5 for component BC-JAS-SEC was released by SAP on 08.07.2025. The correction/advisory 3557179 was described with "[CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java" and affects the system type Java.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process.
The vulnerability addressed is weak security function within Java.
Risk specification
SAP NetWeaver Application Server Java allows an unauthenticated attacker to establish an outbound connection to a potentially malicious remote TLS server due to insufficient hostname verification against wildcard entries in the server's certificate, potentially leading to information disclosure.Solution
The issue has been resolved by ensuring that the certificate and the URL's fully qualified domain names (FQDNs) contain the same number of domain components during verification.
Affected System
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- 9.1 [CVE-2024-47578] Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
- 7.8 [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection)
- 6.2 [CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer)
- 5.0 [CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher
- 4.7 [CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP
