What was SAP's security update for March 2024 about?

SAP's security update for March 2024 included 10 new and 2 updated security notes as part of its monthly Security Patch Day. The update addressed critical vulnerabilities within its product ecosystem, emphasizing the company's commitment to safeguarding business-facing applications.

What was the most severe issue corrected in SAP's March 2024 patch batch?

The most severe issue corrected in SAP's March 2024 patch batch involved updating the Business Client's Chromium browser to version 121.0.6167.184, which had a CVSS Score of 10. This update was critical due to the high risk associated with the vulnerability.

What vulnerabilities were patched in SAP's March 2024 update?

SAP's March 2024 update patched vulnerabilities including a critical flaw in the lodash utility library (CVE-2019-10744) with a CVSS score of 9.4, and a code injection vulnerability in the NetWeaver AS Java's Administrator Log Viewer plugin (CVE-2024-22127) with a CVSS score of 9.1. These vulnerabilities were significant due to their potential impact on application security.

Advisory

SAP releases March update, patches at least three critical issues

Q: What are the 'hot news' items in the March 2024 SAP security update?

The 'hot news' items in the March 2024 SAP security update included critical vulnerabilities in the Chromium browser within the Business Client, the lodash utility library in Build Apps, and a code injection flaw within the NetWeaver AS Java's Administrator Log Viewer plugin. These vulnerabilities were addressed with high priority due to their severity and potential impact.

Q: Has there been any evidence of the vulnerabilities being exploited in the wild?

As of the release of the March 2024 security update, SAP emphasizes that there is no evidence of these vulnerabilities being exploited in the wild. However, patching these vulnerabilities is still advised to safeguard against potential security risks.

published: March 12, 2024

Take action: If you are using SAP products, prioritize patching of SAP Business Client, Build Apps, and NetWeaver AS Java's Administrator Log Viewer plugin. Then work through the rest.

Learn More

SAP has announced a significant security update for March 2024, comprising 10 new and 2 updated security notes as part of its monthly Security Patch Day. This update is particularly noteworthy for addressing critical vulnerabilities within its product ecosystem, highlighting the company's ongoing commitment to safeguarding business-facing applications.

Among the updates, three notes have been classified as 'hot news', the highest severity level within SAP's categorization system. These address critical vulnerabilities in widely used components such as the Chromium browser within the Business Client, the lodash utility library in Build Apps, and a code injection flaw within the NetWeaver AS Java's Administrator Log Viewer plugin:

The most severe issue corrected in this patch batch involves the update of the Business Client's Chromium browser to version 121.0.6167.184 (CVSS Score 10).
CVE-2019-10744 (CVSS score 9.4) vulnerability in the lodash utility library used in Build Apps, documented as This flaw allowed the execution of unauthorized commands on systems using vulnerable library versions, posing a severe risk to application security. The recommended action is to rebuild applications using the patched version of the library, 4.9.145.
CVE-2024-22127 (CVSS score 9.1), a code injection vulnerability in the Administrator Log Viewer plugin of NetWeaver AS Java, tracked as. The vulnerability stemmed from an incomplete list of prohibited file types for upload, potentially leading to command injection and significantly impacting the confidentiality, integrity, and availability of applications. The patch extends the list of prohibited file types to thwart such attacks.

Additionally, the patch day included updates for three high-priority security issues and other notes addressing vulnerabilities of medium severity across various SAP products like NetWeaver, Fiori Front End Server, and the ABAP Platform.

SAP emphasizes that there is no evidence of these vulnerabilities being exploited in the wild. However patching is still advised.

SAP releases March update, patches at least three critical issues

Read More
Atlassian releases security updates for server instances
Fortinet reports new max severity issues in FortiSIEM …
Mitel reports critical path traversal flaw in Mitel …
IBM Security Guardium critical vulnerability allows execution arbitrary …
Critical remote code execution flaw in LANSCOPE Endpoint …