SAP January 2024 patches multiple issues, three critical

On January 2024, SAP released 10 new Security Notes and updated 2 existing ones to address vulnerabilities. The vulnerabilities include privilege escalation, code injection, denial of service, information disclosure, improper authorization checks, log injection, and cross-site scripting.

These vulnerabilities affect various SAP products, including SAP Business Application Studio, SAP Web IDE, SAP Edge Integration Cell, and SAP NetWeaver, among others.

SAP urges customers to prioritize visiting the Support Portal to implement patches, safeguarding their SAP environment.

Details of the escalated issues:

• Hot News Note# 3412456 [CVE-2023-49583] (CVSS score 9.1): Privilege Escalation in applications via SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA. Affected Libraries: @sap/xssec (< 3.6.0), @sap/approuter (Versions –14.4.2).
• Hot News Note# 3413475 [Multiple CVEs] (CVSS score 9.1): Privilege Escalation in SAP Edge Integration Cell. Related CVEs: CVE-2023-49583, CVE-2023-50422. Affected Product: SAP Edge Integration Cell (Versions >= 8.9.13).
• Hot News Note# 3411067 (CVSS score 9.1): Update to December 2023 Security Note. Topic: Privilege Escalation in SAP BTP Security Services Integration Libraries. Related CVEs: CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, CVE-2023-50424. Affected Libraries: @sap/xssec (< 3.6.0), cloud-security-services-integration-library (< 2.17.0 & from 3.0.0 before 3.3.0), sap-xssec (< 4.1.0), github.com/sap/cloud-security-client-go (< 0.17.0).
• Note# 3411869 [CVE-2024-21737] (CVSS score 8.4): Code Injection vulnerability in SAP Application Interface Framework (File Adapter). Affected Product: SAP Application Interface Framework (File Adapter, Version 702).
• Note# 3389917 [CVE-2023-44487] (CVSS score 7.5): Denial of Service (DOS) in SAP Web Dispatcher, SAP NetWeaver AS ABAP, and ABAP Platform. Affected Products include SAP Web Dispatcher (Versions 7.53 to 7.95) and SAP NetWeaver AS ABAP and ABAP Platform (Various Versions).
• Note# 33386378 [CVE-2024-22125] (CVSS score 7.4): Information Disclosure in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge, Version 1.0).
• Note# 3407617 [CVE-2024-21735] (CVSS score 7.3): Improper Authorization Check in SAP LT Replication Server. Affected Versions: S4CORE 103 to S4CORE 108.
• Note# 3260667 [CVE-2024-21736] (CVSS score 6.4): Missing Authorization Check in SAP S/4HANA Finance (Advanced Payment Management, SAPSCORE 128, S4CORE 10).
• Note# 3324732: Update to July 2023 Security Note. (CVSS score 5.3): Log Injection in SAP NetWeaver AS for Java (Log Viewer). Affected Version: ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50.
• Note# 3387737 [CVE-2024-21738] (CVSS score 4.1): Cross-Site Scripting (XSS) in SAP NetWeaver ABAP Application Server and ABAP Platform. Affected Versions: SAP_BASIS 700 to SAP_BASIS 793.
• Note# 3392626 [CVE-2024-22124] (CVSS score 3.7): Information Disclosure in SAP NetWeaver Internet Communication Manager. Affected Versions: KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22,