On 13 August 2024, as part of SAP Security Patch Day, 17 new security notes were published and 8 previous ones were updated. Among the most important updates were:
-
CVE-2024-41730: Missing authentication check in SAP BusinessObjects Business Intelligence Platform. CVSS score: 9.8 (Hot News).
-
CVE-2024-29415: Server-Side Request Forgery vulnerability in SAP Build Apps. CVSS score: 9.1 (Hot News).
-
CVE-2024-42374: XML injection vulnerability in SAP BEx Web Java Runtime Export Web Service. CVSS score: 8.2 (High).
Note# Title Priority CVSS
3479478 [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform Product - SAP BusinessObjects Business Intelligence Platform, Version - ENTERPRISE 430, 440 Hot News 9.8
3477196 [CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps Product - SAP Build Apps, Versions < 4.11.130 Hot News 9.1
3485284 [CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service Product- SAP BEx Web Java Runtime Export Web Service, Versions - BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, BIWEBAPP 7.5 High 8.2
3423268 [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) Product- SAP S/4 HANA, Library Versions - SheetJS CE < 0.19.3 High 7.8
3460407 Update to Security Note released on June 2024 Patch Day: [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) Product- SAP NetWeaver AS Java, Version - MMR_SERVER 7.5 High 7.5
3459935 [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud Product- SAP Commerce Cloud, Versions - HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211 High 7.4
3466801 Update to Security Note released on July 2024 Patch Day: [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management Product- SAP Landscape Management, Version - VCM 3.00 Medium 6.9
3495876 [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286 Product- SAP Replication Server, Versions - 16.0.3, 16.0.4 Medium 6.5
3459379 Update to Security Note released on June 2024 Patch Day: [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) Product - SAP Document Builder, Versions - S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748 Medium 6.5
3474590 [CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework Product- SAP Shared Service Framework, Versions - SAP_BS_FND 702, 731, 746, 747, 748 Medium 6.5
3438085 [CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server Product- SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server, Versions - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, WEBDISP 7.53, 7.77, 7.85, 7.22_EXT, 7.89, 7.54, 7.93, KERNEL 7.22, 7.53, 7.77, 7.85, 7.89, 7.54, 7.93 Medium 6.3
3482217 Update to Security Note released on July 2024 Patch Day: [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation Product- SAP Business Warehouse - Business Planning and Simulation, Versions - SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, SAP_BW_VIRTUAL_COMP 701 Medium 6.1
3465455 Update to Security Note released on June 2024 Patch Day: [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP Product- SAP BW/4HANA Transformation and Data Transfer Process, Versions - DW4CORE 200, 300, 400, 796, SAP_BW 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 Medium 5.5
3483256 [CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice Product - SAP Commerce Backoffice, Version - HY_COM 2205 Medium 5.4
3471450 [CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce Product - SAP Commerce, Versions - HY_COM 2205, COM_CLOUD 2211 Medium 5.3
3487537 [CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) Product - SAP CRM ABAP (Insights Management), Versions - BBPCRM 700, 701, 702, 712, 713, 714 Medium 5.0
3458789 Update to Security Note released on July 2024 Patch Day: [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) Product- SAP Business Workflow (WebFlow Services), Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 Medium 5.0
3468102 [CVE-2024-41732]Improper Access Control in SAP Netweaver Application Server ABAP Product - SAP NetWeaver Application Server ABAP, Versions - SAP_UI 754, 755, 756, 757, 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 912 Medium 4.7
3150704 Update to Security Note released on January 2023 Patch Day: [CVE-2023-0023]Information Disclosure in SAP Bank Account Management (Manage Banks) Product - SAP Bank Account Management (Manage Banks), Versions - 800, 900 Medium 4.5
3433545 [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform Additional CVE - CVE-2024-28166, CVE-2024-41731 Product - SAP BusinessObjects Business Intelligence Platform, Versions - ENTERPRISE 420, 430, 440 Medium 4.3
3475427 [CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work Product - SAP Permit to Work, Versions - UIS4HOP1 800, 900 Medium 4.3
3477423 [CVE-2024-39591] Missing Authorization check in SAP Document Builder Product - SAP Document Builder, Versions - S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, SAP_BS_FND 702, SAP_BS_FND 731, SAP_BS_FND 746, SAP_BS_FND 747, SAP_BS_FND 748 Medium 4.3
3479293 [CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) Product - SAP Student Life Cycle Management (SLcM), Versions - IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807, 808 Medium 4.3
3494349 [CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform Product - SAP NetWeaver Application Server ABAP and ABAP Platform, Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912 Medium 4.3
3454858 Update to Security Note released on July 2024 Patch Day: [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 Medium 4.1
SNOK Recommendations
When it comes to securing SAP systems, the most important step is to implement the August Patch Day updates without delay. These updates eliminate critical vulnerabilities that could be exploited by cybercriminals. Regular system monitoring allows new threats to be detected quickly, which in turn enables rapid deployment of the appropriate fixes. It is also worth investing in ongoing training for IT teams. Ensuring they understand the latest threats and defence methods is key to maintaining the security of the entire infrastructure. SAP systems, given their complexity and central role within organisations, require particular attention. IT specialists should therefore stay up to date with the latest threats and security technologies.
Summary
The August SAP Security Patch Day brought a series of important updates aimed at protecting systems against new threats. Each of these updates is essential to securing the SAP environment and should be implemented as soon as possible. Ignoring such fixes can lead to serious consequences, such as data breaches or system downtime. It is also worth remembering that system security is not only a matter of deploying fixes, but also of ongoing cooperation with experts who can help interpret threats and implement the appropriate protective measures. SNOK offers support at every stage of this process, enabling effective and proactive security management within the SAP environment.