Overview
SAP’s security patch day for January 2024 has seen the release of 10 OSS SAP security notes. Two notes have been classified as critical, three as high, four as medium and one as low based on CVSS v3.0 Rating.
Three notes have been released for:
- SAP NetWeaver AS ABAP
Single notes have been released for:
- SAP BTP
- SAP Web IDE
- SAP Application Interface Framework
- SAP LT Replication Server
- SAP GUI
- SAP S/4HANA
- SAP Marketing
Vulnerabilities: January 2024 Highlights
[Multiple CVEs] Escalation of Privileges in SAP Edge Integration Cell (SAP Note 3413475)
Under certain conditions, the SAP Edge Integration Cell, allows escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
[CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA (SAP Note 3412456)
Under certain conditions, node.js applications created through SAP Business Application Studio, SAP Web IDE Full-Stack or SAP Web IDE for SAP HANA are vulnerable to an escalation of privileges.
[CVE-2024-21737] Code Injection vulnerability in SAP Application Interface Framework (File Adapter) (SAP Note 3411869)
In SAP Application Interface Framework File Adapter, a highly privileged user can execute operating system commands using a function module.
[CVE-2024-21735] Improper Authorisation check in SAP LT Replication Server (SAP Note 3407617)
SAP LT Replication Server does not perform necessary authorisation checks, which could escalate privileges.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
