SAP Patchday: Eight new security vulnerabilities, one of which is highly risky
Admins can take a more relaxed view of the current SAP patch day: Of eight new security vulnerabilities, only one is considered high risk.
There are security gaps in SAP products.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
SAP has published the security patches for the November Patchday. They address eight newly reported vulnerabilities. There are also updates for two older security notes.
SAP lists the individual security notes in the patchday overview. The most serious is a cross-site scripting vulnerability in the SAP Web Dispatcher. Attackers can create and publish a malicious link without prior registration. If a victim clicks on it, the data passed in it is executed in the victim's context(CVE-2024-47590, CVSS 8.8, risk"high"). The SAP developers' assessment of the risk therefore only just misses the "critical" severity level. IT managers should quickly apply the available update.
Further SAP vulnerabilities
Six further security vulnerabilities in SAP products represent a medium risk for those affected. The Walldorf-based company classifies a further vulnerability as a low threat level. The two updated security notes also concern a high security risk due to a missing authorization check in SAP PDCE (corrected on the July patchday) and a low risk for a similar error in SAP Bank Account Management from May.
Videos by heise
The individual new security notes relate to the following products:
- Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher, CVE-2024-47590, CVSS 8.8, risk"high"
- Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory), CVE-2024-42372, CVSS 6.5, medium
- Local Privilege Escalation in SAP Host Agent, CVE-2024-47595, CVSS 6.3, medium
- Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application), CVE-2024-47592, CVSS 5.3, medium
- NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform, CVE-2024-47586, CVSS 5.3, medium
- Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager), CVE-2024-47588, CVSS 4.7, medium
- Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform, CVE-2024-47593, CVSS 4.3, medium
- Missing authorization check in SAP Cash Management (Cash Operations), CVE-2024-47587, CVSS 3.5, low
Administrators can find links to internal documents in the SAP overview with details of the vulnerabilities that can be accessed after logging in.
In October, SAP reported six new security vulnerabilities in its business products. However, two of these were considered high risk and should therefore be addressed quickly.
(dmk)
