April 9, 2024 at 09:42AM
SAP released 10 new security notes and updated 2, patching high-severity vulnerabilities. One note addresses a security misconfiguration issue in NetWeaver AS Java UME, allowing simple passwords despite requirements. Onapsis clarifies the issue’s cause and recommends applying SAP’s patches regardless of feature status. The remaining notes fix medium-severity issues in various SAP products. Customers are urged to promptly apply the patches due to potential exploitation of the vulnerabilities.
After reviewing the meeting notes, here are the key takeaways:
– SAP released 10 new and two updated security notes on April 2024, addressing various vulnerabilities, including high-severity issues.
– The most severe vulnerability (CVE-2024-27899, CVSS score of 8.8) is in NetWeaver AS Java User Management Engine (UME), caused by a missing check in the program logic rather than a configuration issue.
– SAP has also addressed high-severity vulnerabilities in BusinessObjects Web Intelligence and Asset Accounting, along with medium-severity issues in Integration Suite, NetWeaver, Group Reporting Data Collection, Business Connector, and S/4HANA.
– Updates to previous security notes from May 2022 and August 2023 were also announced, resolving information disclosure and URL redirection bugs in Employee Self Service and S/4HANA respectively.
– Customers are advised to apply the patches as soon as possible, as vulnerabilities for which patches have been released are known to have been targeted in the wild.
Please let me know if there is anything else you’d like to extract from the meeting notes.