SAP October 2024 Patch releases six new Security Notes, updates seven previous
Take action: If you are running SAP products, prioritize patching of BusinessObjects Business Intelligence Platform, SAP Enterprise Project Connection - Log4J flaw and SAP NetWeaver. Review exposure and patch where possible - especially for the critical flaws. Then review the rest of the advisories and products and plan a regular update.
Learn More
For October 2024, SAP released six new Security Notes and updates to seven previously released ones, addressing vulnerabilities across multiple SAP products. Among the newly addressed issues is a critical vulnerability in SAP BusinessObjects Business Intelligence Platform.
- CVE-2024-41730 (CVSS score 9.8) - Missing Authorization Check in SAP BusinessObjects Business Intelligence Platform. This vulnerability allows unauthorized access due to missing authentication checks. SAP originally released fixes in August 2024, but updated the patch in October 2024 to cover additional scenarios for customers using BusinessObjects version 4.2 SP009. Affected products are SAP BusinessObjects Business Intelligence Platform 420, 430, 440.
- CVE-2022-23302 (CVSS score 8.0) - Multiple vulnerabilities in SAP Enterprise Project Connection. These vulnerabilities involve issues in open-source libraries, such as the Spring framework and Log4j, potentially leading to unauthorized access or system compromise. Related CVEs: CVE-2024-22259, CVE-2024-38809, CVE-2024-38808. Affected products аrе SAP Enterprise Project Connection, Version 3.0.
- CVE-2024-37179 (CVSS score 7.7) - Insecure File Operations in SAP BusinessObjects Business Intelligence Platform (Web Intelligence). This vulnerability allows authenticated users to download any file from a hosting machine using crafted requests, posing a significant risk to data integrity. Affected products аrе SAP BusinessObjects Web Intelligence ENTERPRISE 420, 430, 2025, ENTERPRISECLIENTTOOLS 420, 430, 2025.
- CVE-2024-39592 (CVSS score 7.7) - Missing Authorization Check in SAP PDCE. Affects access control in Product Design Cost Estimating (PDCE), potentially allowing unauthorized actions. This note was initially released in July 2024 and has been updated to include fixes for additional components. Affected products аrе SAP PDCE S4CORE 102, 103, and S4COREOP 104-108.
-
CVE-2024-45283 (CVSS score 6.0) - Information Disclosure in SAP NetWeaver AS for Java (Destination Service). May allow unauthorized access to sensitive information. Affected products аrе SAP NetWeaver AS for Java, Version 7.50.
-
CVE-2024-45278 (CVSS score 5.4) - Cross-Site Scripting (XSS) in SAP Commerce Backoffice. Enables attackers to inject scripts, potentially compromising user data. Affected products аrе HY_COM 2205, COM_CLOUD 2211.
-
CVE-2024-47594 (CVSS score 5.4) - Cross-Site Scripting (XSS) in SAP NetWeaver Enterprise Portal (KMC). May allow attackers to execute arbitrary scripts within the user’s browser session. Affected products аrе KMC-BC 7.5.
SAP has updated several security notes from prior Patch Days, providing additional fixes for vulnerabilities:
- CVE-2024-42373: Missing Authorization Check in SAP Student Life Cycle Management (SLcM), originally addressed in August 2024.
- CVE-2024-41729: Information Disclosure in SAP NetWeaver BW (BEx Analyzer), updated from September 2024.
- CVE-2024-37180: Information Disclosure in SAP NetWeaver Application Server for ABAP and ABAP Platform, updated from July 2024.
SAP urges users to apply the provided patches immediately to secure their SAP systems from potential exploits. While there are no known active exploits for these vulnerabilities, previous incidents have shown that attackers can quickly target unpatched SAP systems.
