Enterprise software maker SAP on Tuesday announced the release of 16 new and three updated security notes as part of its September 2024 Security Patch Day.
At the top of this month’s list of security notes are the three updates, all for notes released in August 2024 to resolve critical-, high- and medium-severity vulnerabilities.
The first of them, a hot news note that resolves a missing authorization check in BusinessObjects (CVE-2024-41730, CVSS score of 9.8), was updated with workaround instructions for customers who cannot apply the available patches, enterprise application security firm Onapsis explains.
The second, addressing a high-severity information disclosure bug in Commerce Cloud (CVE-2024-33003, CVSS score of 7.4), updates the fixed version of the affected application.
SAP also updated a medium-priority note that patches multiple security defects in Replication Server (FOSS), and released 13 other security notes fixing medium-severity flaws in NetWeaver, Commerce Cloud, BusinessObjects, Business Warehouse, S/4 HANA, and SAP for Oil & Gas.
The resolved issues include cross-site scripting (XSS), information disclosure, DLL hijacking, and missing authorization check vulnerabilities that could impact the availability, confidentiality, and integrity of the applications.
One of the notes addresses six missing authorization check flaws in NetWeaver, including one that “allows a low privileged attacker to send a crafted packet in the vulnerable function module targeting a specific user. This user will no longer have access to any functionality of SAP GUI and will thus experience a total loss of application availability,” Onapsis says.
The remaining three security notes that SAP released this month resolve low-severity missing authorization check flaws in Student Life Cycle Management (SLcM) and NetWeaver Application Server for ABAP and ABAP Platform.
SAP makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to review SAP’s security notes and apply the fixes as soon as possible.
Related: SAP Patches Critical Vulnerabilities in BusinessObjects, Build Apps
Related: 38 Tech Leaders Sign Cyber Resilience Pledge
Related: Security Analysis Leads to Discovery of Vulnerabilities in 18 Electron Applications
Related: In Other News: Linux Kernel Exploits, Update on BEC Losses, Cybersecurity Awareness Act
