Applexus Technologies Logo
Absoft, now part of Applexus
Learn more about Applexus
Click here to learn more about Applexus
Security Notes Icon

SAP Security Notes Review: March 2024

SAP Support
SAP Technical Services
SAP Managed Service
Blog Post
SAP Application Support
SAP Notes

Share This Post

Overview

SAP’s security patch day for March 2024 has seen the release of 11 OSS SAP security notes. Two notes have been classified as critical, three as high, and six as medium based on CVSS v3.0 Rating.

Security Notes by CVSS v3 Base Score for Mar 2024

Four notes have been released for:

  • SAP NetWeaver AS JAVA

Single notes have been released for:

  • SAP Build Apps
  • SAP ABAP Platform
  • SAP Fiori
  • SAP Business Objects
  • SAP HANA
  • SAPGUI for HTML
  • SAP Commerce Cloud
Security Notes by Product Category for Mar 2024

Vulnerabilities: March 2024 Highlights

[CVE-2024-22127] Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in) (SAP Note 3433192)

The SAP NetWeaver Administrator AS Java Log Viewer plug-in allows an attacker with high privileges to upload potentially dangerous files. This can lead to a command injection vulnerability.

[CVE-2019-10744] Code Injection vulnerability in applications built with SAP Build Apps (SAP Note 3425274)

Applications built with SAP Build Apps are vulnerable to a code injection attack. This vulnerability allows attackers to run unauthorised commands on the system.

[CVE-2023-50164] Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console) (SAP Note 3414195)

SAP BusinessObjects Business Intelligence Platform CMC uses a version of Apache Struts, which is vulnerable to directory traversal. Accordingly, it could be exploited by a user with high privileges.

[CVE-2023-44487] Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced (SAP Note 3410615)

SAP HANA XS Classic and HANA XS Advanced allow an unauthenticated user to perform a DOS attack over the network by making a massive number of HTTP/2 requests and cancelling them later. This action may flood the memory and have a high impact on the application’s availability.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

Search by a topic below...

Cloud Services 1
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services

Read Our Latest Articles

Didn’t find what you are looking for? Send us your questions.

We are here to help.
Contact Us
Colleagues at work at Absoft SAP Consultancy

Company registration number: SC129581

Registered office: Davidson House, Campus 1, Aberdeen Innovation Park, Bridge of Don, Aberdeen, AB22 8GT

Contact
Connect
SAP Certified PCOE logo
Living Wage Employer

Is Your Business Ready to Embark on an S/4HANA Journey?

Jump Start Your Implementation with

Begin Your CeleRITE Assessment Today
celerite assessments2 (1)