August 13, 2024 at 11:36AM
SAP announced 17 new and 8 updated security notes for August 2024. Two “hot news” notes addressed critical vulnerabilities, including missing authentication check in BusinessObjects Business Intelligence and server-side request forgery bug in Node.js library. Four other high-severity vulnerabilities were resolved, along with several medium-severity ones. Organizations are urged to promptly apply patches and mitigations.
The key takeaways from the meeting notes are:
– SAP announced the release of 17 new and eight updated security notes as part of its August 2024 Security Patch Day.
– Two of the new security notes are rated ‘hot news’ and address critical-severity vulnerabilities.
– The first addresses a missing authentication check in the BusinessObjects Business Intelligence platform (CVE-2024-41730), and the second note deals with a server-side request forgery (SSRF) bug in the Node.js library used in Build Apps (CVE-2024-29415).
– Four of the remaining security notes resolve high-severity vulnerabilities, including an XML injection flaw in BEx Web Java Runtime Export Web Service, a prototype pollution bug in S/4 HANA (Manage Supply Protection), and an information disclosure issue in Commerce Cloud.
– One updated note resolves a denial-of-service (DoS) vulnerability in NetWeaver AS Java (Meta Model Repository).
– The remaining 19 security notes address medium-severity vulnerabilities that could lead to information disclosure, escalation of privileges, code injection, and data deletion, among others.
– Organizations are advised to review SAP’s security notes and apply the available patches and mitigations as soon as possible due to known exploitation by threat actors.
Additionally, it’s important to note that SAP AI Core vulnerabilities allowed service takeover and customer data access, and that SAP has also patched high-severity vulnerabilities in PDCE, Commerce, and Financial Consolidation, NetWeaver.