SAP Patches Critical BusinessObjects Vulnerability with October Security Updates
SAP has released its monthly security patch updates, addressing several vulnerabilities across its product portfolio. The October Security Patch Day includes six new security notes and six updates to previously released notes. Among the critical fixes is an update for a missing authentication check vulnerability in SAP BusinessObjects Business Intelligence Platform (CVE-2024-41730). This vulnerability carries a high CVSS score of 9.8 and could allow an attacker to gain unauthorized access to sensitive data or disrupt business operations.
Other notable vulnerabilities include CVE-2022-23302 and related CVEs (CVE-2024-22259, CVE-2024-38809, CVE-2024-38808), which impact SAP Enterprise Project Connection. This vulnerability is categorized as High, with a CVSS score of 8.0. These issues could allow attackers to compromise the confidentiality and integrity of sensitive project data, particularly in organizations using SAP Enterprise Project Connection 3.0.
Another high-risk vulnerability, CVE-2024-37179, concerns Insecure File Operations in SAP BusinessObjects Business Intelligence Platform (Web Intelligence). With a CVSS score of 7.7, this vulnerability affects multiple versions, including ENTERPRISE 420, 430, and 2025, as well as ENTERPRISECLIENTTOOLS.
SAP also addressed information disclosure vulnerabilities in SAP NetWeaver AS for Java (CVE-2024-45283), which was updated from the September 2024 patch day. The CVSS score for this vulnerability is 6.0, and it impacts versions of SAP NetWeaver AS for Java (Destination Service) 7.50. Information disclosure vulnerabilities such as these can expose critical data and potentially facilitate other types of attacks, such as phishing or social engineering.
Additionally, two cross-site scripting (XSS) vulnerabilities were patched in SAP Commerce Backoffice (CVE-2024-45278, CVSS 5.4) and SAP NetWeaver Enterprise Portal (KMC) (CVE-2024-47594, CVSS 5.4). These vulnerabilities, if exploited, could allow attackers to execute malicious scripts in the web browsers of SAP users, leading to compromised session data and other security issues.
Among the medium-priority updates is a Prototype Pollution vulnerability in SAP HANA Client (CVE-2024-45277, CVSS 4.3), which could allow an attacker to manipulate system behavior by modifying object properties. SAP also addressed HTTP Verb Tampering vulnerabilities in SAP S/4 HANA (Manage Bank Statements) (CVE-2024-45282, CVSS 4.3), which could allow malicious users to bypass security measures by exploiting improper handling of HTTP requests.
SAP customers are strongly encouraged to review and implement the latest security notes to protect their systems from potential cyberattacks.
