Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Vulnerability in BusinessObjects

SAP has released 12 new and updated security notes on October 2024 patch day, including one that fixes a critical flaw in BusinessObjects.

SAP vulnerability patches

Enterprise software maker SAP on Tuesday released six new security notes with patches for a wide range of vulnerabilities, including a critical issue in its BusinessObjects Business Intelligence product line.

The company called urgent attention to CVE-2024-41730, a missing authorization check issue in the BusinessObjects Business Intelligence suite that carries a critical-severity rating.

SAP released fixes for the bug in August 2024, but has updated the security note with additional patches for customers who are using BusinessObjects version 4.2 SP009, according to Onapsis, a security firm that specializes in SAP and Oracle applications.

This month, SAP rolled out fixes for four high-severity vulnerabilities in Enterprise Project Connection, all four identified in the Spring framework (CVE-2024-22259, CVE-2024-38809, CVE-2024-38808) and Log4j (CVE-2022-23302) open source libraries.

Next in line is a high-severity insecure file operations vulnerability in BusinessObjects that could allow authenticated users to download any file from a hosting machine by sending crafted requests to the Web Intelligence Reporting Server.

On Tuesday, SAP also released an updated security note that addresses a high-severity missing authorization check bug in Product Design Cost Estimating (PDCE). Initially released in July 2024, the security note now fixes the bug in additional components.

The remaining eight security notes (four new and four updated) that SAP included in its October 2024 security patch day address medium-severity defects in NetWeaver, Commerce Backoffice, HANA Client, S/4 HANA, and Student Life Cycle Management.

Users are advised to apply the patches and mitigations in SAP’s security notes as soon as possible. While the company makes no mention of any of these vulnerabilities being exploited in the wild, threat actors are known to have exploited bugs in SAP products for which patches have been released.

Advertisement. Scroll to continue reading.

Related: SAP Releases 16 New Security Notes on September Patch Day

Related: Organizations Warned of Exploited SAP, Gpac, D-Link Vulnerabilities

Related: For Smaller Enterprises Infrastructure Security Starts With Hygiene

Related: Secure by Default: What It Means for the Modern Enterprise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.