Multiple Vulnerabilities in SAP Products

Severity Level: High

Date: 02/09/2024

Ref: CERT / 2024/09/78

Components Affected

• SAP BusinessObjects Business Intelligence Platform
• SAP Build Apps
• SAP BEx Web Java Runtime Export Web Service
• SAP S/4 HANA, Library
• SAP NetWeaver AS Java
• SAP Commerce Cloud
• SAP Landscape Management
• SAP Replication Server
• SAP Document Builder
• SAP NetWeaver Application Server (ABAP and Java)
• SAP Web Dispatcher and SAP Content Server
• SAP Shared Service Framework
• SAP Business Warehouse – Business Planning and Simulation
• SAP BW/4HANA Transformation and Data Transfer Process
• SAP Commerce Backoffice
• SAP Commerce
• SAP CRM ABAP (Insights Management)
• SAP Business Workflow (WebFlow Services)
• SAP NetWeaver Application Server ABAP
• SAP Student LifeCycle Management (SLcM)
• SAP S/4 HANA
• SAP Web Dispatcher and SAP Content Server
• SAP Student Life Cycle Management (SLcM)
• SAP Permit to Work

Overview

Multiple vulnerabilities have been reported in SAP Products which could allow an attacker to escalate privileges, inject arbitrary code, disclose sensitive information, cause memory corruption, perform blind SSRF attacks, inject system logs, perform DoS attacks, perform Cross-site scripting (XSS) attacks, redirect users to arbitrary URLs, and bypass security restrictions on the targeted system.

Description

Multiple vulnerabilities have been reported in SAP products; details of which are provided below:

Impact

• Missing authentication check
• Server-side request forgery
• XML injection
• Prototype pollution
• Denial of service
• Information disclosure
• Unrestricted file upload
• Missing authorization check
• Cross-site scripting
• Improper access control

Solution/Workarounds

Apply appropriate fixes as mentioned in SAP Security Advisory: SAP Security Advisory

Reference

• SAP Security Notes - August 2024

Disclaimer

The information provided herein is on an "as-is" basis, without warranty of any kind.