ADVISORY!
TLP : CLEAR
Date : 11/04/2024
REF NO : CERT / 2024/04/29
Multiple Vulnerabilities in SAP Products
Severity Level: High
Components Affected
- SAP NetWeaver AS Java (User Management Engine)
- SAP BusinessObjects Web Intelligence
- SAP Asset Accounting
- SAP Edge Integration Cell
- SAP NetWeaver AS ABAP and ABAP Platform
- SAP Group Reporting Data Collection (Enter Package Data)
- SAP Employee Self Service (Fiori My Leave Request)
- SAP S/4 HANA (Manage Catalog Items and Cross-Catalog search)
- SAP NetWeaver
- SAP Business Connector
- SAP S/4 HANA (Cash Management)’
Overview
Multiple vulnerabilities have been reported in SAP Products which could allow an attacker to perform Stack overflow, Denial of service (DOS), URL redirection, Server-Side Request Forgery, Cross-Site Scripting (XSS), Improper Certificate Validation, Information disclosure, Missing authorization check and Directory Traversal on the targeted system.
Description
Impact
- Security Misconfiguration
- Information Disclosure
- Directory Traversal
- Stack Overflow
- Denial of Service
- Missing Authorization Check
- URL Redirection
- Server-Side Request Forgery
- Cross-Site Scripting
Solution/ Workarounds
Apply appropriate fixes as mentioned in SAP Security Advisory:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2024.html
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre
- Hotline : 101
- +94 11 269 1692
- Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
- General inquiry: cert@cert.gov.lk
- Security incidents: incidents@cert.gov.lk
- Social media incidents: report@cert.gov.lk
