SAP releases February patch, addresses 16 issues, two critical
Take action: If you are using SAP products, review the advisory and plan patching. Priority items on the list are SAP Business Client and SAP ABA (Application Basis). Also worth of your focus should be NetWeaver AS Java and SAP CRM.
Learn More
In its February 2024 Security Patch Day, SAP released a series of security updates to address vulnerabilities across its product range, including 13 new and 3 updated security notes. The two critical issues fixed are:
- Security updates for the browser control Google Chromium delivered with SAP Business Client, with CVSS score 10
- Code injection vulnerability in the SAP ABA cross-application component, tracked as CVE-2024-22131 (CVSS score 9.1). This vulnerability could potentially allow attackers with remote execution authorization to invoke an application function through a vulnerable interface, enabling unauthorized actions, such as reading or modifying user/business data or causing system unavailability.
In addition to the two critical vulnerabilities, SAP addressed several high-severity issues, including cross-site scripting (XSS) and XML External Entity (XEE) injection vulnerabilities in NetWeaver AS Java, XSS issues in CRM (WebClient UI), a code injection defect in IDES Systems, and an improper certificate validation in Cloud Connector. The Patch Day also included fixes for seven medium-severity vulnerabilities affecting various SAP components and applications, such as Bank Account Management and Fiori, among others.
SAP recommends applying these patches promptly to protect against potential exploits, especially since attackers have previously targeted vulnerabilities in SAP products after fixes were announced. Currently there's no indication these vulnerabilities have been exploited in the wild.
