SAP releases September 2024 patches for 19 security notes

AP released 16 new and three updated security notes as part of its September 2024 Security Patch Day. Key updates include:

Critical Vulnerability

• CVE-2024-41730 (CVSS score 9.8) - Missing Authentication Check in SAP BusinessObjects Business Intelligence Platform. This vulnerability allows an unauthenticated attacker to gain unauthorized access to the system. SAP updated the security note with workaround instructions for customers who cannot immediately apply the patch. The note's validity was also extended to include release 420 of the Enterprise software component.
  • Affected Versions: SAP BusinessObjects Business Intelligence Platform ENTERPRISE 430, 440

High-Severity Vulnerability

• CVE-2024-33003 (CVSS score 7.4) - Information Disclosure Vulnerability in SAP Commerce Cloud. This vulnerability allows attackers to access sensitive information due to improper handling of certain data within the application. The patch was updated from SAP Commerce Cloud Update Release 2211.27 to 2211.28.
  • Affected Versions: SAP Commerce Cloud HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211

Medium-Severity Vulnerabilities

• CVE-2024-45286 (CVSS score 6.5) - Missing Authorization Check in SAP Production and Revenue Accounting (Tobin interface). A remote-enabled function module allows unauthorized access to arbitrary table data. The patch adds the necessary authorization checks to prevent data disclosure.

  • Affected Versions: SAP Production and Revenue Accounting  S4CEXT 106-108, IS-PRA 605-805

• Multiple CVEs (CVE-2023-0215, CVE-2022-0778, CVE-2023-0286) (CVSS score 6.5) - Multiple vulnerabilities in SAP Replication Server (FOSS). These vulnerabilities could allow an attacker to perform unauthorized operations affecting system availability and confidentiality.

  • Affected Versions: SAP Replication Server 16.0.3, 16.0.4

• CVE-2024-45279 (CVSS score 6.1) - Cross-Site Scripting (XSS) in SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel). Weak input validation allows attackers to inject malicious scripts, potentially leading to unauthorized access or data manipulation.

  • Affected Versions: SAP NetWeaver Application Server for ABAP 700, 701, 702, 731, 740, 750-75I

• CVE-2024-42378 (CVSS score 6.1) - Cross-Site Scripting (XSS) in eProcurement on SAP S/4HANA. Similar to the previous XSS vulnerability, this issue allows an attacker to execute malicious scripts via user-controlled input fields.

  • Affected Versions: n eProcurement on SAP S/4HANA SAP_APPL 606-618, S4CORE 102-108

• CVE-2024-45283 (CVSS score 6.0) - Information Disclosure Vulnerability in SAP NetWeaver AS for Java (Destination Service). An attacker could exploit this vulnerability to gain unauthorized access to sensitive information within the Java service.

  • Affected Versions: SAP NetWeaver AS for Java 7.50

Other Medium and Low-Severity Vulnerabilities

• Multiple vulnerabilities were also addressed in
  • SAP NetWeaver Application Server for ABAP and ABAP Platform,
  • SAP Business Warehouse (BEx Analyzer),
  • SAP for Oil & Gas, SAP Student Life Cycle Management (SLcM),
  • other SAP applications, involving Cross-Site Scripting (XSS), Information Disclosure, and Missing Authorization Checks.
• These vulnerabilities have lower CVSS scores ranging from 5.9 to 2.0.

SAP recommends all customers review the relevant SAP Security Notes and apply the necessary patches as soon as possible to mitigate potential risks. Additionally, workaround instructions are provided for certain critical vulnerabilities for customers who cannot immediately apply the patches.