Overview
SAP’s security patch day for August 2024 has seen the release of 19 OSS SAP security notes. Two notes have been classified as critical, two as high, and 15 as medium based on the CVSS v3.0 Rating.
Six notes have been released for:
- SAP NetWeaver AS ABAP
Three notes have been released for:
- SAP Commerce
- SAP S/4HANA
Two notes have been released for:
- SAP BusinessObjects
Single notes have been released for:
- SAP Sybase
- SAP CRM
- SAP BEx
- SAP Build Apps
- SAP Permit to Work
Vulnerabilities: August 2024 Highlights
[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform (SAP Note 3479478)
If SSO is enabled in SAP BusinessObjects Business Intelligence Platform, an unauthorised user can acquire a login token from a REST endpoint, allowing the attacker to fully compromise the system.
[CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps (SAP Note 3477196)
SAP Build Apps used an older version of the Node.js library, which is vulnerable to Server-Side Request Forgery through the IP library. Affected versions of this package are vulnerable via the isPublic function, which identifies some private IP addresses as public addresses due to improper input parsing.
[CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service (SAP Note 3485284)
BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm services, which makes the SAP ADS rendering (PDF creation) unavailable.
[CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud (SAP Note 3459935)
Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
