Overview
SAP’s security patch day for September 2024 has seen the release of 17 OSS SAP security notes. One note has been classified as high, 13 as medium, and three as low based on CVSS v3.0 Rating. Â
Six notes have been released for:
- SAP NetWeaver AS ABAP
Three notes have been released for:
- SAP NetWeaver AS JAVA
Two notes have been released for:
- SAP Business Warehouse
- SAP Commerce
Single notes have been released for:
- SAP S/4HANA
- SAP SYBASE
- SAP BusinessObjects
- SAP Student Life Cycle Management
Vulnerabilities: September 2024 Highlights
[CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud (SAP Note 3459935)
Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data—like passwords, email addresses, mobile numbers, coupon codes, and voucher codes—to be included in the request URL as query or path parameters.
[CVE-2024-45280] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application) (SAP Note 3505503)
Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application.
[CVE-2024-44112] Missing Authorisation check in SAP for Oil & Gas (Transportation and Distribution) (SAP Note 3505293)
Due to a missing authorisation check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function to delete entries in a user data table.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
