2 months ago
23
SAP vulnerabilities were a cardinal absorption during the September Patch Day, with aggregate information updates released to heighten the extortion of SAP systems.
In September 2024, SAP released nineteen caller and updated information notes aimed astatine addressing vulnerabilities successful assorted systems. Among these were updates to 1 HotNews enactment and 1 High Priority note. The HotNews Note #3479478, rated with a CVSS people of 9.8, focuses connected a missing authentication cheque vulnerability successful SAP BusinessObjects Business Intelligence Platform, which posed a hazard of unauthorized entree to captious data. Initially released successful August, the updated enactment provided workaround solutions for users incapable to use the spot instantly and extended the hole to the Enterprise bundle merchandise 420.
The High Priority Note #3459935, with a CVSS people of 7.4, addresses an accusation disclosure vulnerability successful SAP Commerce Cloud. This contented required a revision of the patch, updating the recommended hole from Release 2211.27 to Release 2211.28. SAP’s proactive measures successful issuing these updates item the value of continuous information reviews to mitigate risks and support delicate data.
Onapsis Research Labs contributed importantly to resolving SAP vulnerabilities during the September Patch Day, assisting SAP successful identifying and patching 12 issues crossed 7 information notes. Thomas Fritsch, Manager of Content and Technical Research astatine Onapsis, emphasized the value of ongoing collaboration with SAP to guarantee swift recognition and solution of captious vulnerabilities. This collaboration helped code assorted information threats that could person perchance impacted SAP customers.
One of the astir captious areas addressed was Cross-Site Scripting vulnerabilities successful eProcurement connected S/4HANA and the CRM Blueprint Application Builder Panel. These vulnerabilities were documented successful SAP Security Notes #3497347 and #3501359, with some rated astatine a CVSS people of 6.1. Weak input validation successful these systems could person allowed attackers to inject malicious scripts, enabling unauthorized entree to information. The timely patches implemented by SAP trim the hazard of specified attacks, improving the information of idiosyncratic data.
Another cardinal vulnerability patched was a missing authorization cheque successful SAP Production and Revenue Accounting, covered successful SAP Security Note #3488341. This contented allowed unauthorized users to entree delicate accusation done a remote-enabled relation module. With the spot successful place, SAP present restricts entree to authorized users only, reducing the likelihood of unauthorized information disclosure.
Furthermore, SAP Security Note #3488039 addressed six further vulnerabilities successful RFC-enabled relation modules, which had the imaginable to disrupt users’ entree to SAP GUI. One peculiar vulnerability, tracked nether CVE-2024-45285, could person allowed a low-privileged attacker to artifact a circumstantial idiosyncratic from accessing SAP GUI by sending a crafted packet. SAP’s spot efficaciously closes this information loophole by preventing outer entree to these susceptible modules.
Further SAP Vulnerabilities Patched successful September
Additional vulnerabilities were addressed successful specialized SAP systems. For instance, SAP Security Note #3505293, with a CVSS people of 4.3, corrected an authorization contented successful SAP for Oil & Gas. This vulnerability allowed non-administrative users to delete information entries, perchance disrupting concern processes. By applying the indispensable authorization checks, SAP has ensured that lone authorized users tin change the data, safeguarding the integrity of the system.
Information disclosure vulnerabilities successful SAP BW (BEx Analyzer) were besides patched successful SAP Security Notes #3481588 and #3481992. These issues allowed attackers to summation unauthorized entree to delicate information done the network. SAP’s patches guarantee that lone authenticated users tin presumption specified information, importantly lowering the hazard of information breaches.
Although nary caller HotNews oregon High Priority Notes were introduced, the updates provided solutions to respective captious issues, peculiarly successful the areas of cross-site scripting and missing authorization checks. By continuing to prioritize security, SAP ensures that its customers tin trust connected their systems without fearfulness of exploitation oregon information loss.
