SAP has launched its security patch bundle for August 2024, addressing 17 vulnerabilities, together with a essential authentication bypass that might permit distant attackers to totally compromise the system.
The flaw, tracked as CVE-2024-41730 and rated 9.8 as per the CVSS v3.1 system, is a “lacking authentication verify” bug impacting SAP BusinessObjects Enterprise Intelligence Platform variations 430 and 440 and is exploitable beneath sure circumstances.
“In SAP BusinessObjects Enterprise Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized consumer can get a logon token utilizing a REST endpoint,” reads the seller’s description of the flaw.
“The attacker can absolutely compromise the system leading to Excessive influence on confidentiality, integrity and availability.”
The second essential (CVSS v3.1 rating: 9.1) vulnerability addressed this time is CVE-2024-29415, a server-side request forgery flaw in purposes constructed with SAP Construct Apps older than model 4.11.130.
The flaw issues a weak spot within the ‘IP’ bundle for Node.js, which checks whether or not an IP deal with is public or non-public. When octal illustration is used, it falsely acknowledges ‘127.0.0.1’ as a public and globally routable deal with.
This flaw exists as a consequence of an incomplete repair for the same subject tracked as CVE-2023-42282, which left some instances susceptible to assaults.
Of the remaining fixes listed in SAP’s bulletin for this month, the 4 which can be categorized as “excessive severity” (CVSS v3.1 rating: 7.4 to eight.2) are summarized as follows:
- CVE-2024-42374 – XML injection subject within the SAP BEx Net Java Runtime Export Net Service. It impacts variations BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, and BIWEBAPP 7.5.
- CVE-2023-30533 – Flaw associated to prototype air pollution in SAP S/4 HANA, particularly inside the Handle Provide Safety module, impacting library variations of SheetJS CE which can be beneath 0.19.3.
- CVE-2024-34688 – Denial of Service (DOS) vulnerability in SAP NetWeaver AS Java, particularly affecting the Meta Mannequin Repository element model MMR_SERVER 7.5.
- CVE-2024-33003 – Vulnerability pertaining to an info disclosure subject in SAP Commerce Cloud, affecting variations HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, and COM_CLOUD 2211.
Apply updates now
With SAP being the world’s largest ERP vendor and its merchandise utilized in over 90% of the Forbes International 2000 listing, hackers are at all times in search of essential authentication bypass flaws that might allow them to entry extremely helpful company networks.
In February 2022, the US Cybersecurity and Infrastructure Safety Company (CISA) urged directors to patch extreme vulnerabilities in SAP enterprise purposes to forestall information theft, ransomware, and disruptions to mission-critical operations.
Menace actors exploited unpatched SAP methods between June 2020 and March 2021 to infiltrate company networks in no less than 300 instances.
