August 2024 Update for SAP System Software
In this month's Patch Day, SAP has released 25 new and updated security patches, surpassing the average number, to address a variety of critical issues affecting its applications.
One of the most significant vulnerabilities addressed is a Denial of Service (DoS) issue in SAP BusinessObjects Business Intelligence Platform, patched by SAP Security Note #3479478. The vulnerability, tagged with a CVSS score of 9.8, could potentially cause severe disruptions to services.
Another critical issue was found in SAP Build Apps, which utilises a vulnerable version of the Node.js library. This vulnerability, reported on August 25, 2024, but yet to be publicly disclosed by whom, was patched by SAP Security Note #3477196. SAP recommends re-building applications with SAP Build Apps version 4.11.130 or later to address this vulnerability.
SAP Security Note #3477423 addresses another Missing Authorization Check vulnerability in SAP Document Builder, while SAP Security Note #3479293 patches a similar issue in SAP Student LifeCycle Management (SLcM).
The Onapsis Research Labs, who have updated their platform to include these newly published vulnerabilities, supported SAP in patching a High Priority vulnerability in SAP BEx Web Java Runtime Export Web Service and assisted in patching one High Priority and six Medium Priority vulnerabilities on August Patch Day.
Additionally, SAP Security Note #3460407 patches an Information Disclosure vulnerability in SAP NetWeaver AS Java (Meta Model Repository), tagged with a CVSS score of 7.5. Meanwhile, SAP Security Note #3459935 addresses a set of vulnerable OCC API endpoints in SAP Commerce Cloud, posing a risk of data leakage.
Two of the released notes are HotNews Notes, and four are High Priority Notes. Notably, SAP Security Note #3487537 patches a Server-Side Request Forgery vulnerability in SAP CRM ABAP (Insights Management), and SAP Security Note #3423268 addresses a vulnerability in SAP S/4 HANA (Manage Supply Protection) that uses the open source library SheetJS.
Lastly, SAP Security Note #3468102 details an Improper Access Control vulnerability in SAP Netweaver Application Server ABAP.
For more information on the latest SAP security issues, subscribe to the monthly Defender's Digest Onapsis Newsletter.
This article was written by Thomas Fritsch.
Read also:
- Web3 social arcade extends Pixelverse's tap-to-earn feature beyond Telegram to Base and Farcaster platforms.
- Navigating the Path to Tech Product Success: Expert Insights from Delasport, a Trailblazer in the Tech Industry
- Online Cyber Assaults May Deter Web Usage Among Younger Generations
- Navigating English for Common Tech and Devices Daily Use
