Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten
Alert!

SAP Patchday: Attackers can compromise systems through security gap

SAP issues 14 new security notes for the May Patchday. Attackers can smuggle in malicious code through the gaps.

Save to Pocket listen Print view
Stilisiertes Bild: Laptop mit SAP-Logo brennt, vor Serverracks

There are security gaps in SAP products.

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

2 min. read
Security
By
This article was originally published in German and has been automatically translated.

SAP has published fourteen security notes on vulnerabilities in various SAP products for the May Patchday. These include security leaks that are considered a critical risk. Admins should install the available updates quickly.

SAP's patchday overview lists information on the vulnerabilities and affected products. In SAP CX Commerce, for example, there are several vulnerabilities, such as a CSS injection vulnerability in Swagger UI from 2019 or in a JDBC driver of Apache Calcite Avatica from 2022, which now have a critical rating with a CSS value of 9.8. In SAP NetWeaver Application Server ABAP and ABAP Platform, on the other hand, there is a gap that unregistered attackers can provoke by uploading a malicious file and thus completely compromise the server(CVE-2024-33006, CVSS 9.6, critical).

SAP plugs critical and high-risk security leaks

In the SAP BusinessObjects Business Intelligence Platform, attackers can exploit a stored cross-site scripting vulnerability to manipulate parameters in an opendocument URL (CVE-2024-28165, CVSS 8.1, high). This has a strong impact on the confidentiality and integrity of the application, SAP developers write in the corresponding CVE entry.

Other vulnerabilities with a medium or low threat level affect, in descending order, SAP Enable Now Manager, SAP NetWeaver Application Server for ABAP and ABAP Platform, SAP S/4HANA (Document Service Handler for DPS), SAP My Travel Requests, SAP Replication Server, SAP S/4 HANA (Manage Bank Statement Reprocessing Rules), SAP BusinessObjects Business Intelligence Platform (web services), SAP Global Label Management, SAP Bank Account Management and SAP UI5 (PDFViewer). Of course, SAP is also providing updates for these applications to iron out the security-relevant errors.

SAP customers will receive further information on the vulnerabilities, affected products and software patches after logging into their SAP account. The individual security notes are linked in the patchday overview.

Read also

In April, SAP sealed ten security gaps in its various products. Of these, the developers had classified three as high risk.

(dmk)

Spiele

Back to top
Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten