Overview
SAP’s security patch day for October 2024 has seen the release of 12 OSS SAP security notes. One note has been classified as critical, three as high, and eight as medium based on CVSS v3.0 Rating.
Three notes have been released for:
- SAP S/4HANA
Two notes have been released for:
- SAP BusinessObjects
Single notes have been released for:
- SAP Enterprise Project Connection
- SAP HANA
- SAP Commerce
- SAP NetWeaver Enterprise Portal
- SAP NetWeaver AS JAVA
- SAP NetWeaver AS ABAP
- SAP BW
Vulnerabilities: October 2024 Highlights
[CVE-2024-37179] Insecure File Operations vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) (SAP Note 3478615)
SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service.
[CVE-2022-23302] Multiple vulnerabilities in SAP Enterprise Project Connection (SAP Note 3523541)
SAP Enterprise Project Connection uses versions of Spring Framework and Log4j open-source libraries which are vulnerable to multiple different attacks.
[CVE-2024-45277] Prototype Pollution vulnerability in SAP HANA Client (SAP Note 3520100)
SAP HANA Client is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
