As the second Tuesday of September 2024 approaches, SAP administrators and security professionals are preparing for another crucial event: SAP Security Patch Day. This month’s release addresses several vulnerabilities across various SAP products and components, emphasizing the ongoing importance of maintaining a robust security posture in SAP environments.
This month, 17 new security notes have been released. The highest CVSS score is 7.4, indicating the presence of high-priority vulnerabilities. The vulnerabilities affect a wide range of SAP products, including NetWeaver, Business Warehouse, and Commerce Cloud.
Among the most significant vulnerabilities this month is an information disclosure issue in SAP Commerce Cloud (CVE-2024-33003) with a CVSS score of 7.4. This high-priority vulnerability could potentially lead to unauthorized access to sensitive information. Additionally, a Cross-Site Scripting (XSS) vulnerability has been discovered in the SAP NetWeaver AS Java logon application (CVE-2024-45280), which could allow attackers to inject malicious scripts and potentially compromise user sessions.
Let’s look at the top 5 vulnerabilities this month by severity:
1. CVE-2024-33003 in SAP Commerce Cloud with a CVSS score of 7.4 is an information disclosure vulnerability that could lead to unauthorized access to sensitive data.
2. CVE-2024-45286 in SAP Production and Revenue Accounting has a CVSS score of 6.5 and is related to a missing authorization check in the Tobin interface, potentially allowing unauthorized access to sensitive financial data.
3. CVE-2024-45281 in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 5.8 is a DLL hijacking vulnerability that could be exploited for privilege escalation or arbitrary code execution.
4. Multiple vulnerabilities (several CVEs) in SAP NetWeaver Application Server for ABAP and ABAP Platform with a combined CVSS score of 5.4 could impact the integrity and availability of the ABAP platform.
5. CVE-2024-45279 in SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel) has a CVSS score of 6.1 and is a Cross-Site Scripting (XSS) vulnerability that could be used to compromise user sessions.
Below is a complete table of all vulnerabilities patched this month:
For those looking to deepen their understanding of SAP security, I’m also recommending an original online SAP Security Course based on BlackHat SAP Security Training. This comprehensive course covers core concepts and security administration, providing valuable insights for SAP professionals. You can find it here https://www.udemy.com/course/sap-security-core-concepts-and-security-administration/
As the second Tuesday of September 2024 approaches, SAP administrators and security professionals are preparing for another crucial event: SAP Security Patch Day. This month’s release addresses several vulnerabilities across various SAP products and components, emphasizing the ongoing importance of maintaining a robust security posture in SAP environments.This month, 17 new security notes have been released. The highest CVSS score is 7.4, indicating the presence of high-priority vulnerabilities. The vulnerabilities affect a wide range of SAP products, including NetWeaver, Business Warehouse, and Commerce Cloud.Among the most significant vulnerabilities this month is an information disclosure issue in SAP Commerce Cloud (CVE-2024-33003) with a CVSS score of 7.4. This high-priority vulnerability could potentially lead to unauthorized access to sensitive information. Additionally, a Cross-Site Scripting (XSS) vulnerability has been discovered in the SAP NetWeaver AS Java logon application (CVE-2024-45280), which could allow attackers to inject malicious scripts and potentially compromise user sessions.Let’s look at the top 5 vulnerabilities this month by severity:1. CVE-2024-33003 in SAP Commerce Cloud with a CVSS score of 7.4 is an information disclosure vulnerability that could lead to unauthorized access to sensitive data.2. CVE-2024-45286 in SAP Production and Revenue Accounting has a CVSS score of 6.5 and is related to a missing authorization check in the Tobin interface, potentially allowing unauthorized access to sensitive financial data.3. CVE-2024-45281 in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 5.8 is a DLL hijacking vulnerability that could be exploited for privilege escalation or arbitrary code execution.4. Multiple vulnerabilities (several CVEs) in SAP NetWeaver Application Server for ABAP and ABAP Platform with a combined CVSS score of 5.4 could impact the integrity and availability of the ABAP platform.5. CVE-2024-45279 in SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel) has a CVSS score of 6.1 and is a Cross-Site Scripting (XSS) vulnerability that could be used to compromise user sessions.Below is a complete table of all vulnerabilities patched this month:CVE Component Vulnerability Type CVSS CVE-2024-33003SAP Commerce CloudInformation Disclosure7.4CVE-2024-45286SAP Production and Revenue Accounting (Tobin interface)Missing Authorization Check6.5CVE-2024-45281SAP BusinessObjects Business Intelligence PlatformDLL Hijacking5.8Multiple CVEsSAP NetWeaver AS for ABAP and ABAP PlatformMultiple Vulnerabilities5.4CVE-2024-45279SAP NetWeaver AS for ABAP (CRM Blueprint Application Builder)Cross-Site Scripting (XSS)6.1CVE-2024-45280SAP NetWeaver AS Java (Logon Application)Cross-Site Scripting (XSS)4.8CVE-2024-45283SAP NetWeaver AS for Java (Destination Service)Information Disclosure6.0CVE-2024-44112SAP for Oil & Gas (Transportation and Distribution)Missing Authorization Check4.3CVE-2024-44120SAP NetWeaver Enterprise PortalCross-Site Scripting (XSS)4.7CVE-2024-42378eProcurement on S/4HANACross-Site Scripting (XSS)6.1CVE-2024-44113SAP Business Warehouse (BEx Analyzer)Information Disclosure4.3CVE-2024-41729SAP NetWeaver BW (BEx Analyzer)Information Disclosure4.3CVE-2013-3587SAP Commerce CloudInformation Disclosure5.9CVE-2024-44114SAP NetWeaver AS for ABAP and ABAP PlatformMissing Authorization Check2.0CVE-2024-45284SAP Student Life Cycle Management (SLcM)Missing Authorization Check2.7CVE-2024-41728SAP NetWeaver AS for ABAP and ABAP PlatformMissing Authorization Check2.7Multiple CVEsSAP Replication Server (FOSS)Multiple Vulnerabilities6.5 For those looking to deepen their understanding of SAP security, I’m also recommending an original online SAP Security Course based on BlackHat SAP Security Training. This comprehensive course covers core concepts and security administration, providing valuable insights for SAP professionals. You can find it here https://www.udemy.com/course/sap-security-core-concepts-and-security-administration/ Read More Technology Blogs by Members articles
#SAP
#SAPTechnologyblog