CVE-2024-22131 (CVSS 9.1): Critical flaws affect SAP products

CVE-2024-22131

German software giant SAP has sounded the alarm bells with its February 2024 Security Patch Day, releasing a total of 13 new and 3 updated security notes. These patches address a range of vulnerabilities, including two that pose critical risks to businesses relying on SAP systems.

CVE-2024-22131

Among these vital patches, two stand out with SAP’s highest severity ranking of “Hot News“:

  • Chrome-based Browser in SAP Business Client: This update, with a perfect CVSS score of 10, is an update to a previous patch from April 2018. It fixes critical flaws in the browser component of SAP Business Client that could leave it open to devastating attacks.

  • Code Injection Flaw in SAP ABA: The second “Hot News” patch targets a serious flaw (CVE-2024-22131, CVSS score 9.1) in the SAP Application Basis (ABA) layer. This vulnerability could potentially allow attackers, authenticated as users with remote execution authorization, to exploit a vulnerable interface. By doing so, they could invoke application functions to perform unauthorized actions, ranging from reading or modifying sensitive user/business data to rendering the entire system unavailable

Beyond the headliners, SAP also flagged five other “high priority” patches. These vulnerabilities affect:

  • SAP NetWeaver AS Java
  • SAP CRM
  • SAP IDES Systems
  • SAP Cloud Connector

Lastly, the remaining updates primarily target medium-severity vulnerabilities in areas like:

  • SAP Bank Account Management
  • SAP Companion
  • SAP NetWeaver Application Server ABAP and Business Client for HTML
  • SAP Fiori apps
  • SAP Master Data Governance Material
  • SAP CRM

The sheer number and breadth of patches in this SAP Security Patch Day highlight the ever-present threat of cyberattacks. If your business uses SAP systems, the immediate priority is clear: apply these patches as soon as possible. By addressing vulnerabilities across the spectrum of severity, SAP not only protects its clients from immediate threats but also strengthens the overall security posture of the global business community.