SAP Security Notes – October 2024

On the 8th of October 2024, SAP Security Patch Day saw the release of 6 new Security Notes.

There were 7 updates to previously released Security Notes.

Notes by severity

Highlights

On October Patch Day SAP presents 4 high-severity Notes, with one of them rated as HotNews.

A lot of Note updates are coming this month, so we will break down the most critical ones for your infrastructure healthcare.

For the start, let us highlight the crucial security update for SAP BusinessObjects Business Intelligence Platform in the face of the 3479478 Note update – Missing Authentication check in SAP BusinessObjects Business Intelligence Platform – with a CVSS Score of 9.8.
If Single Signed On is enabled on Enterprise authentication in SAP BusinessObjects Business Intelligence Platform, an unauthorized user can utilize a REST endpoint to obtain a logon token. The system can be completely compromised by the attacker, which would have a significant effect on availability, confidentiality, and integrity.

This note has been re-released with updated ‘Support Packages & Patches’ information. The newest fixes can be found in the last Support Package.

Next fix for BusinessObjects was provided in 3478615 Note – Insecure File Operations vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) – with a CVSS Score of 7.7.
An authenticated user can download any file from the computer hosting the service by sending a specially constructed request to the Web Intelligence Reporting Server using the SAP BusinessObjects Business Intelligence Platform. This has a significant influence on the application’s secrecy.

Another high-severity rated 3523541 Security Note is dedicated to SAP Enterprise Project Connection security – Multiple vulnerabilities in SAP Enterprise Project Connection – with CVSS Score of 8.0.
Versions of the Spring Framework and Log4j open-source libraries used by SAP Enterprise Project Connection are susceptible to the CVEs listed in this SAP Security Note’s “Other terms” section. We will list these CVEs here for easy reference:
CVE-2024-22259, CVE-2024-38809, CVE-2024-38808, CVE-2022-23302.

The next to highlight are the updates for various SAP systems and components that will be important to mention.

The first update will be 3483344 Security Note – Missing Authorization check in SAP PDCE – with a CVSS Score of 7.7.

When PDCE components fail to carry out the required authorization checks for a verified user, privileges are escalated. This has a significant effect on the application’s secrecy since it enables an attacker to read private data.
This note has been re-released with updated ‘Correction Instruction’ information.

The second will be 3495876 Security Note – Multiple vulnerabilities in SAP Replication Server (FOSS) – with a CVSS Score of 6.5.
OpenSSL and Spring Framework, two Free Open Source Software (FOSS) libraries included with SAP Replication Server, have been found to have several vulnerabilities (CVE-2023-0215, CVE-2022-0778, and CVE-2023-0286). Since SAP Replication Server does not use the affected vulnerable functionalities from the FOSS, it is not affected by the vulnerabilities. Nevertheless, the installation environment may become susceptible due to these weak FOSS.

This note has been re-released with minor textual correction in the ‘Symptom’ section.

And the last update to mention will be Note 3477359 – Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service) – with a CVSS Score of 6.0.
Sensitive data can be obtained by an authorized attacker using SAP NetWeaver AS for Java. When creating an RFC destination, the attacker could get the password and username. An attacker can access sensitive data after successful exploitation, but they are unable to alter or remove it.
This note has been re-released with updated ‘Solution’ information.

With our monthly Notes breakdowns you will always know precisely what security issues to cover first and foremost.
Stay safe!