Enterprise software maker SAP announced the release of 13 new and three updated security notes as part of its February 2024 Security Patch Day, including one addressing a critical vulnerability in the SAP ABA cross-application component.
The critical issue, a code injection bug tracked as CVE-2024-22131 (CVSS score of 9.1), could be exploited by an attacker that has remote execution authorization to use a vulnerable interface to invoke an application function and perform actions without permission.
“Depending on the function executed, the attack(er) can read or modify any user/business data and can make the entire system unavailable,” a NIST advisory reads.
According to enterprise application security firm Onapsis, the flaw exists because of a lack of sufficient checks on external calls to a function module.
“The Web Survey feature in SAP provides an RFC-enabled function module that allows dynamically calling any static method of the system without checking any specific authorization. An external call of the function module is only protected by the implicit S_RFC check,” Onapsis says.
SAP has addressed the flaw by adding a configurable check on external calls to the function module. Enabled by default, the check blocks the external calls, but customers can adjust its configuration to be able to use the Web Survey remote capabilities.
The vulnerability impacts SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, and 75I, SAP explains in its advisory.
The software maker also released five new security notes dealing with high-severity bugs, including cross-site scripting (XSS) and XML External Entity (XEE) injection bugs in NetWeaver AS Java, an XSS issues in CRM (WebClient UI), a code injection defect in IDES Systems, and an improper certificate validation in Cloud Connector.
Seven medium-severity flaws impacting Bank Account Management, Companion, NetWeaver Application Server ABAP (SAP Kernel), NetWeaver Business Client for HTML, Fiori, Master Data Governance Material, and CRM (WebClient UI) were also resolved.
On Tuesday, SAP also announced updates for a hot news note delivering patches for 33 vulnerabilities in the Chrome browser for Business Client, a high-priority note addressing an information disclosure bug in NetWeaver Application Server ABAP, and a low-priority note fixing a directory traversal issue in Master Data Governance.
Users are advised to apply the patches as soon as possible. SAP makes no mention of any of these vulnerabilities being exploited in attacks, but threat actors are known to have targeted flaws in SAP products for which fixes have been released.
Related: SAP’s First Patches of 2024 Resolve Critical Vulnerabilities
Related: SAP Patches Critical Vulnerability in Business Technology Platform
Related: SAP Patches Critical Vulnerability in Business One Product