Enterprise software maker SAP this week announced the release of 10 new and two updated security notes as part of its first Security Patch Day of 2024.
Rated ‘hot news’, the highest rating in SAP’s notebook, two of the new and one of the updated security notes deal with critical-severity escalation of privilege vulnerabilities in several products, SAP explains in its advisory (PDF).
The first hot news security note resolves CVE-2023-49583, a security defect in Business Application Studio, Web IDE Full-Stack and Web IDE for SAP HANA.
The issue impacts SAP customers who created Node.js applications using the aforementioned SAP software, as these applications may rely on dependencies that use vulnerable versions of two SAP libraries, enterprise software security firm Onapsis explains.
SAP’s second hot news note addresses the same vulnerability, along with CVE-2023-50422, in Edge Integration Cell, a hybrid solution that comes with SAP Integration Suite to provide API integration and which relies on BTP Security Services Integration Libraries and Programming Infrastructures, Onapsis explains.
The third hot news security note is an update to a note released in December 2023 to resolve multiple escalation of privilege bugs in Business Technology Platform (BTP) Security Services Integration Libraries, including CVE-2023-49583 and CVE-2023-50422.
“The note was updated one day after December Patch Day with additional information in multiple text sections. Customers who already applied the patch are not affected,” Onapsis says.
SAP also resolved four high-severity vulnerabilities on its first Security Patch Day of 2024. The first is a code injection bug in Application Interface Framework (File Adapter) that could allow an attacker to execute OS commands.
The second high-severity flaw is described as a denial-of-service (DoS) issue in Web Dispatcher and NetWeaver Application Server ABAP that could be exploited without authentication.
Next in line is an information disclosure defect in the Microsoft Edge browser extension, while the fourth high-severity bug is an improper authorization check in LT Replication Server.
The five remaining security notes deal with four medium- and one low-severity vulnerability in S/4HANA Finance, NetWeaver AS for Java, NetWeaver ABAP Application Server and ABAP Platform, NetWeaver Internet Communication Manage, and Marketing.
SAP customers are advised to apply the patches as soon as possible. While the software maker makes no mention of any of these vulnerabilities being exploited in the wild, unpatched SAP applications are known to have been exploited in malicious attacks.