Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Vulnerabilities in BusinessObjects, Build Apps

SAP has released 25 security notes on August 2024 Security Patch Day, including for critical vulnerabilities in BusinessObjects and Build Apps.

SAP vulnerability patches

Enterprise software maker SAP on Tuesday announced the release of 17 new and eight updated security notes as part of its August 2024 Security Patch Day.

Two of the new security notes are rated ‘hot news’, the highest priority rating in SAP’s book, as they address critical-severity vulnerabilities.

The first deals with a missing authentication check in the BusinessObjects Business Intelligence platform. Tracked as CVE-2024-41730 (CVSS score of 9.8), the flaw could be exploited to get a logon token using a REST endpoint, potentially leading to full system compromise.

The second hot news note addresses CVE-2024-29415 (CVSS score of 9.1), a server-side request forgery (SSRF) bug in the Node.js library used in Build Apps. According to SAP, all applications built using Build Apps should be re-built using version 4.11.130 or later of the software.

Four of the remaining security notes included in SAP’s August 2024 Security Patch Day, including an updated note, resolve high-severity vulnerabilities.

The new notes resolve an XML injection flaw in BEx Web Java Runtime Export Web Service, a prototype pollution bug in S/4 HANA (Manage Supply Protection), and an information disclosure issue in Commerce Cloud.

The updated note, initially released in June 2024, resolves a denial-of-service (DoS) vulnerability in NetWeaver AS Java (Meta Model Repository).

According to enterprise application security firm Onapsis, the Commerce Cloud security defect could lead to the disclosure of information via a set of vulnerable OCC API endpoints that allow information such as email addresses, passwords, phone numbers, and certain codes “to be included in the request URL as query or path parameters”.

Advertisement. Scroll to continue reading.

“Since URL parameters are exposed in request logs, transmitting such confidential data through query parameters and path parameters is vulnerable to data leakage,” Onapsis explains.

The remaining 19 security notes that SAP announced on Tuesday address medium-severity vulnerabilities that could lead to information disclosure, escalation of privileges, code injection, and data deletion, among others.

Organizations are advised to review SAP’s security notes and apply the available patches and mitigations as soon as possible. Threat actors are known to have exploited vulnerabilities in SAP products for which patches have been released.

Related: SAP AI Core Vulnerabilities Allowed Service Takeover, Customer Data Access

Related: SAP Patches High-Severity Vulnerabilities in PDCE, Commerce

Related: SAP Patches High-Severity Vulnerabilities in Financial Consolidation, NetWeaver

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.