SAP has launched its safety patch bundle for August 2024, addressing 17 vulnerabilities, together with a crucial authentication bypass that might enable distant attackers to completely compromise the system.
The flaw, tracked as CVE-2024-41730 and rated 9.8 as per the CVSS v3.1 system, is a “missing authentication check” bug impacting SAP BusinessObjects Enterprise Intelligence Platform variations 430 and 440 and is exploitable underneath sure situations.
“In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint,” reads the seller’s description of the flaw.
“The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.”
The second crucial (CVSS v3.1 rating: 9.1) vulnerability addressed this time is CVE-2024-29415, a server-side request forgery flaw in functions constructed with SAP Construct Apps older than model 4.11.130.
The flaw considerations a weak point within the ‘IP’ bundle for Node.js, which checks whether or not an IP deal with is public or non-public. When octal illustration is used, it falsely acknowledges ‘127.0.0.1’ as a public and globally routable deal with.
This flaw exists as a consequence of an incomplete repair for the same situation tracked as CVE-2023-42282, which left some circumstances weak to assaults.
Of the remaining fixes listed in SAP’s bulletin for this month, the 4 which can be categorized as “high severity” (CVSS v3.1 rating: 7.4 to eight.2) are summarized as follows:
- CVE-2024-42374 – XML injection situation within the SAP BEx Internet Java Runtime Export Internet Service. It impacts variations BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, and BIWEBAPP 7.5.
- CVE-2023-30533 – Flaw associated to prototype air pollution in SAP S/4 HANA, particularly throughout the Handle Provide Safety module, impacting library variations of SheetJS CE which can be under 0.19.3.
- CVE-2024-34688 – Denial of Service (DOS) vulnerability in SAP NetWeaver AS Java, particularly affecting the Meta Mannequin Repository part model MMR_SERVER 7.5.
- CVE-2024-33003 – Vulnerability pertaining to an info disclosure situation in SAP Commerce Cloud, affecting variations HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, and COM_CLOUD 2211.
Apply updates now
With SAP being the world’s largest ERP vendor and its merchandise utilized in over 90% of the Forbes International 2000 checklist, hackers are all the time searching for crucial authentication bypass flaws that might allow them to entry extremely helpful company networks.
In February 2022, the US Cybersecurity and Infrastructure Safety Company (CISA) urged directors to patch extreme vulnerabilities in SAP enterprise functions to forestall knowledge theft, ransomware, and disruptions to mission-critical operations.
Risk actors exploited unpatched SAP programs between June 2020 and March 2021 to infiltrate company networks in a minimum of 300 circumstances.
