Enterprise software maker SAP on Tuesday released six new security notes with patches for a wide range of vulnerabilities, including a critical issue in its BusinessObjects Business Intelligence product line.
The company called urgent attention to CVE-2024-41730, a missing authorization check issue in the BusinessObjects Business Intelligence suite that carries a critical-severity rating.
SAP released fixes for the bug in August 2024, but has updated the security note with additional patches for customers who are using BusinessObjects version 4.2 SP009, according to Onapsis, a security firm that specializes in SAP and Oracle applications.
This month, SAP rolled out fixes for four high-severity vulnerabilities in Enterprise Project Connection, all four identified in the Spring framework (CVE-2024-22259, CVE-2024-38809, CVE-2024-38808) and Log4j (CVE-2022-23302) open source libraries.
Next in line is a high-severity insecure file operations vulnerability in BusinessObjects that could allow authenticated users to download any file from a hosting machine by sending crafted requests to the Web Intelligence Reporting Server.
On Tuesday, SAP also released an updated security note that addresses a high-severity missing authorization check bug in Product Design Cost Estimating (PDCE). Initially released in July 2024, the security note now fixes the bug in additional components.
The remaining eight security notes (four new and four updated) that SAP included in its October 2024 security patch day address medium-severity defects in NetWeaver, Commerce Backoffice, HANA Client, S/4 HANA, and Student Life Cycle Management.
Users are advised to apply the patches and mitigations in SAP’s security notes as soon as possible. While the company makes no mention of any of these vulnerabilities being exploited in the wild, threat actors are known to have exploited bugs in SAP products for which patches have been released.
Related: SAP Releases 16 New Security Notes on September Patch Day
Related: Organizations Warned of Exploited SAP, Gpac, D-Link Vulnerabilities
Related: For Smaller Enterprises Infrastructure Security Starts With Hygiene
Related: Secure by Default: What It Means for the Modern Enterprise