### #SAPSecurity #PatchManagement #VulnerabilityAlert
Summary: SAP’s latest Security Patch Day has revealed 10 new Security Notes, including critical vulnerabilities that require immediate action from organizations using SAP solutions. Notably, CVE-2024-47578 poses severe exploitation risks, highlighting the urgency for patch application.
Threat Actor: Unknown | unknown
Victim: Organizations using SAP solutions | organizations using SAP solutions
Key Point :
- 10 new Security Notes released, with multiple critical vulnerabilities requiring immediate attention.
- CVE-2024-47578, CVE-2024-47579, and CVE-2024-47580 have a CVSS score of 9.1, posing severe exploitation risks.
- CVE-2024-47590 is a Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher, rated 8.8.
- CVE-2024-54198 allows unauthorized access to sensitive data through Remote Function Call (RFC), with a CVSS score of 8.5.
- CVE-2024-54197 involves Server-Side Request Forgery (SSRF) in SAP NetWeaver Administrator, rated 7.2.
- Medium and low-risk vulnerabilities also identified, emphasizing the need for ongoing monitoring and patch management.
- SAP urges customers to apply patches immediately to mitigate risks associated with these vulnerabilities.
SAP’s latest Security Patch Day, released today, detailed 10 new Security Notes alongside updates to three previously released notes. Among the newly disclosed vulnerabilities, multiple critical and high-priority flaws demand immediate attention from organizations leveraging SAP solutions.
One of the most urgent issues, CVE-2024-47578, affects SAP NetWeaver AS for JAVA (Adobe Document Services). This vulnerability, combined with two related CVEs—CVE-2024-47579 and CVE-2024-47580—allows for severe exploitation risks. These flaws, rated with a CVSS score of 9.1, can lead to unauthorized actions with significant impacts on confidentiality, integrity, and availability. SAP recommends applying the corresponding patches immediately.
Another critical update addresses CVE-2024-47590, a Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher, affecting versions ranging from WEBDISP 7.77 to 9.13. With a CVSS score of 8.8, this flaw could allow attackers to inject malicious scripts into trusted web applications.
The list also includes CVE-2024-54198, an Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP, with a CVSS score of 8.5. Exploiting this flaw could provide unauthorized access to sensitive data through Remote Function Call (RFC).
One of the more important vulnerabilities, CVE-2024-54197, involves a Server-Side Request Forgery (SSRF) issue in SAP NetWeaver Administrator. With a CVSS score of 7.2, this flaw allows attackers to manipulate backend systems to send unauthorized requests, which can be particularly harmful in cloud environments.
SAP also highlighted a Missing Authorization Check in SAP HCM (CVE-2024-47581) and a DLL Hijacking Vulnerability in SAP Product Lifecycle Costing (CVE-2024-47576). Although these are rated as medium and low risks, they underscore the importance of consistent monitoring and patch management.
SAP strongly urges customers to address these vulnerabilities by applying the patches provided in the Security Notes. The company emphasized the importance of addressing critical and high-priority issues, particularly those affecting widely used platforms like SAP NetWeaver and SAP BusinessObjects.