Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Vulnerability in BusinessObjects

SAP has released 12 new and updated security notes on October 2024 patch day, including one that fixes a critical flaw in BusinessObjects.

SAP

Enterprise software maker SAP on Tuesday released six new security notes with patches for a wide range of vulnerabilities, including a critical issue in its BusinessObjects Business Intelligence product line.

The company called urgent attention to CVE-2024-41730, a missing authorization check issue in the BusinessObjects Business Intelligence suite that carries a critical-severity rating.

SAP released fixes for the bug in August 2024, but has updated the security note with additional patches for customers who are using BusinessObjects version 4.2 SP009, according to Onapsis, a security firm that specializes in SAP and Oracle applications.

This month, SAP rolled out fixes for four high-severity vulnerabilities in Enterprise Project Connection, all four identified in the Spring framework (CVE-2024-22259, CVE-2024-38809, CVE-2024-38808) and Log4j (CVE-2022-23302) open source libraries.

Next in line is a high-severity insecure file operations vulnerability in BusinessObjects that could allow authenticated users to download any file from a hosting machine by sending crafted requests to the Web Intelligence Reporting Server.

On Tuesday, SAP also released an updated security note that addresses a high-severity missing authorization check bug in Product Design Cost Estimating (PDCE). Initially released in July 2024, the security note now fixes the bug in additional components.

Advertisement. Scroll to continue reading.

The remaining eight security notes (four new and four updated) that SAP included in its October 2024 security patch day address medium-severity defects in NetWeaver, Commerce Backoffice, HANA Client, S/4 HANA, and Student Life Cycle Management.

Users are advised to apply the patches and mitigations in SAP’s security notes as soon as possible. While the company makes no mention of any of these vulnerabilities being exploited in the wild, threat actors are known to have exploited bugs in SAP products for which patches have been released.

Related: SAP Releases 16 New Security Notes on September Patch Day

Related: Organizations Warned of Exploited SAP, Gpac, D-Link Vulnerabilities

Related: For Smaller Enterprises Infrastructure Security Starts With Hygiene

Related: Secure by Default: What It Means for the Modern Enterprise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.