Overview
SAP’s security patch day for November 2024 has seen the release of 10 OSS SAP security notes. Two notes have been classified as high, six as medium, and two as high based on CVSS v3.0 Rating.
Two notes have been released for:
- SAP NetWeaver AS ABAP
- SAP S/4HANA
- SAP NetWeaver AS JAVA
Single notes have been released for:
- SAP Software Update Manager
- SAP Web Dispatcher
- SAP Host Agent
- SAP Product Design Cost Estimation
Vulnerabilities: November 2024 Highlights
[CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher (SAP Note 3520281)
An unauthenticated attacker can create a publicly available link which they can trick users into accessing. With this link the attacker can extract data which can allow them to execute code on the server, fully compromising confidentiality, integrity and availability. This only affects Web Dispatchers with UI enabled.
[CVE-2024-39592] Missing Authorisation check in SAP PDCE (SAP Note 3483344)
Elements of PDCE do not perform necessary authorisation checks for an authenticated user, resulting in escalation of privileges.
[CVE-2024-47588] Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager) (SAP Note 3522953)
In SAP NetWeaver Java (Software Update Manager 1.1), under certain conditions when a software upgrade encounters errors, credentials are written in plaintext to a log file.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
