SAP delivers security fixes for two high-risk vulnerabilities on Patchday

SAP published security notes on ten newly discovered vulnerabilities on June Patchday. Two of these relate to vulnerabilities that have been given a "high" risk rating.

According to SAP, the most serious is a leak in SAP Financial Consolidation. Attackers can smuggle data from untrusted sources into a web app. As the endpoints are accessible in the network, users can change the content through the website. The impact on confidentiality and integrity is significant(CVE-2024-37177, CVSS 8.1, risk"high"). In addition, malicious actors can provoke a denial of service in SAP NetWeaver AS Java, which means that legitimate users can no longer access it(CVE-2024-34688, CVSS 7.5, high).

Vulnerabilities in other SAP products

There are also vulnerabilities with a medium risk rating in SAP NetWeaver and ABAP Platform, SAP Document Builder (HTTP service), SAP S/4HANA (Manage Incoming Payment Files), SAP CRM (WebClient UI), SAP BW/4HANA Transformation and DTP, SAP Student Life Cycle Management (SLcM) and SAP NetWeaver AS Java (Guided Procedures). There is also a low-risk vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling), which could lead to the unauthorized disclosure of information.

SAP has also updated older security notes. The original warning about a vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform dates back to May, and there was also an update to a notification from June 2018 about a vulnerability in Central Finance Infrastructure Components.

IT managers should plan and update the vulnerable SAP software they use in a timely manner in order to reduce the attack surface for cyberattacks.

On the May patch day, SAP even patched 14 security vulnerabilities in various products from its portfolio. Attackers could have infiltrated malicious code through them.

(dmk)