SAP rolls out a series of crucial patches, notably addressing a critical vulnerability within the SAP ABA cross-application component. The identified code injection bug, designated as CVE-2024-22131 with a severity score of 9.1, posed a significant threat, potentially allowing attackers with remote execution authorization to manipulate user and business data without proper permission. The flaw stemmed from inadequate checks on external calls to a function module, exposing systems to exploitation.
SAP’s remedial action includes the implementation of a configurable check on external calls to the function module, effectively mitigating the risk posed by the vulnerability. Although the default configuration blocks external calls, customers retain the flexibility to adjust settings to accommodate legitimate usage scenarios. Notably, the vulnerability affects multiple versions of SAP ABA, underlining the widespread impact of the issue across various deployments.
Additionally, SAP issued several other security notes addressing high-severity bugs, encompassing cross-site scripting (XSS), XML External Entity (XEE) injection, and code injection defects in various components. With cyber threats evolving rapidly, users are strongly advised to promptly apply the provided patches to fortify their systems against potential exploitation. While SAP has not reported any instances of active exploitation, the proactive deployment of patches remains crucial given the historical propensity of threat actors to target known vulnerabilities in SAP products.
