SAP Security Patch Day: CVE-2024-22127 – Critical Vulnerability Demand Immediate Action
Enterprise software leader SAP released a critical set of patches as part of its March 2024 Security Patch Day, addressing multiple severe vulnerabilities within its widely used product suite. Topping the list are three “Hot News” security notes that resolve code injection vulnerabilities, potentially allowing attackers to completely compromise affected systems.
Chromium Vulnerability Persists
The first “Hot News” update revisits a patch for the Chromium-embedded browser within SAP Business Client. Initially released in 2018, this update highlights the ongoing challenge of maintaining security in complex software environments.
Code Injection Threat Targets SAP Build Apps
Another “Hot News” note addresses CVE-2019-10744, a code injection vulnerability lurking within applications developed with SAP Build Apps. This flaw carries a CVSS score of 9.4, underscoring its danger to enterprise systems.
Java Vulnerability Opens a Backdoor in SAP NetWeaver
The final “Hot News” patch targets another code injection vulnerability, CVE-2024-22127 (CVSS 9.1), this time discovered in SAP NetWeaver AS Java’s Administrator Log Viewer plug-in. The SAP NetWeaver Administrator AS Java version 7.50 contains a command injection vulnerability. Attackers with high privileges can exploit CVE-2024-22127 by uploading malicious files, potentially leading to severe impacts on the confidentiality, integrity, and availability of the application.
Additional Risks: Authentication Bypass, Denial-of-Service
While the “Hot News” vulnerabilities rightfully command attention, SAP also addressed three high-severity risks. These include an authentication bypass in SAP Commerce Cloud, potentially allowing unauthorized purchases or data theft, as well as a denial-of-service flaw in SAP HANA that could disrupt critical operations. Finally, a path traversal vulnerability in SAP BusinessObjects could grant attackers access to sensitive data.
The Takeaway: Don’t Delay, Patch Today!
This March 2024 Patch Day serves as a stark reminder: even the most robust enterprise software is not immune to critical flaws. SAP customers are strongly advised to implement these patches immediately to mitigate the serious risks posed by these vulnerabilities.
