September 10, 2024 at 10:27AM
SAP released 16 new and updated security notes in September 2024. The updates addressed critical, high, and medium-severity vulnerabilities in various software applications. These include fixes for issues such as missing authorization checks, information disclosure, and cross-site scripting. SAP advises users to apply the fixes promptly and notes no exploitation of these vulnerabilities.
From the meeting notes, it’s evident that SAP has announced the release of 16 new security notes and updates to 3 existing ones as part of their September 2024 Security Patch Day. The updates address vulnerabilities in various SAP applications, with a focus on resolving critical-, high- and medium-severity issues.
One particularly noteworthy update is related to a missing authorization check in BusinessObjects (CVE-2024-41730, CVSS score of 9.8). There are also updates for a high-severity information disclosure bug in Commerce Cloud (CVE-2024-33003, CVSS score of 7.4), and a medium-priority note patching multiple security defects in Replication Server (FOSS). Additionally, SAP has released 13 other security notes addressing medium-severity flaws in various applications such as NetWeaver, BusinessObjects, and S/4 HANA.
The vulnerabilities being patched include cross-site scripting (XSS), information disclosure, DLL hijacking, and missing authorization check flaws, all of which could impact the availability, confidentiality, and integrity of the applications.
In terms of potential impact, one of the notes addresses six missing authorization check flaws in NetWeaver, where a low privileged attacker could disrupt the application availability for a specific user. Although SAP has not mentioned any active exploitation of these vulnerabilities, users are advised to review SAP’s security notes and apply the fixes promptly to mitigate any potential risk.
This overview provides a clear understanding of the security updates announced by SAP and emphasizes the importance of prompt action to address the identified vulnerabilities.