On August 13, 2024, SAP released a comprehensive set of security updates addressing 25 vulnerabilities as part of its August Security Patch Day. This release includes 17 new security notes and eight updates to existing notes, focusing on critical flaws across various SAP products. Among these, two vulnerabilities have been flagged as ‘hot news’ due to their severe impact. The first, tracked as CVE-2024-41730, involves a missing authentication check in the BusinessObjects Business Intelligence platform, potentially allowing attackers to gain unauthorized access and compromise the entire system.
The second critical issue, identified as CVE-2024-29415, is a server-side request forgery (SSRF) bug found in the Node.js library used in Build Apps. This flaw could be exploited to manipulate server requests, and SAP recommends that all applications built with Build Apps be updated to version 4.11.130 or later to mitigate the risk. The release also addresses high-severity vulnerabilities in several other SAP products, including an XML injection flaw in BEx Web, a prototype pollution bug in S/4 HANA, and an information disclosure issue in Commerce Cloud.
Additionally, SAP updated a previous security note from June 2024 to address a denial-of-service (DoS) vulnerability in NetWeaver AS Java, which impacts the Meta Model Repository. The update resolves the issue and helps prevent potential service disruptions. The remaining 19 security notes cover medium-severity vulnerabilities, including those that could lead to information disclosure, privilege escalation, code injection, and data deletion.
Organizations using SAP products are urged to review and apply these patches without delay to protect their systems from potential threats. As vulnerabilities in SAP software have been known targets for attackers, timely patching is crucial to maintaining security and mitigating risks associated with these newly discovered flaws.
Reference:
