-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day – February 2024
This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.
On 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. Further, there were 3 updates to previously released Security Notes.
| Note# | Title | Severity | CVSS |
|---|---|---|---|
| Update to Security Note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client, Versions - 6.5, 7.0, 7.70 | Hot News | 10.0 | |
| 3420923 | [CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis) Product - SAP ABA (Application Basis), Versions - 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I | Hot News | 9.1 |
| 3417627 | [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) Product - SAP NetWeaver AS Java (User Admin Application), Version - 7.50 | High | 8.8 |
| 3426111 | [CVE-2024-24743] XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures) Product - SAP NetWeaver AS Java (Guided Procedures), Version - 7.50 | High | 8.6 |
| 3410875 | [CVE-2024-22130] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) Product - SAP CRM WebClient UI, Versions - S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801 | High | 7.6 |
| 3421659 | [CVE-2024-22132] Code Injection vulnerability in SAP IDES Systems Product – IDES Systems, Versions – All version | High | 7.4 |
| 3424610 | [CVE-2024-25642] Improper Certificate Validation in SAP Cloud Connector Product – SAP Cloud Connector, Version - 2.0 | High | 7.4 |
| 3385711 | Update to Security Note released on December 2023 Patch Day: [CVE-2023-49580] Information disclosure vulnerability in SAP GUI for Windows and SAP GUI for Java Product - SAP GUI for Windows and SAP GUI for Java, Versions – SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 | High | 7.3 |
| 2637727 | [CVE-2024-24739] Missing authorization check in SAP Bank Account Management Product – BAM (Bank Account Management), Versions – SAP_FIN 618, SAP_FIN 730, S4CORE 100, 101 | Medium | 6.3 |
| 3404025 | [CVE-2024-22129] Cross-Site Scripting (XSS) vulnerability in SAP Companion Product - SAP Companion, Versions <3.1.38 | Medium | 5.4 |
| 3360827 | [CVE-2024-24740] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel) Product - SAP NetWeaver Application Server ABAP (SAP Kernel), Versions - KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53 | Medium | 5.3 |
| 3396109 | [CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML Product - SAP NWBC for HTML, Versions – SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731 | Medium | 4.7 |
| 3237638 | [CVE-2024-25643] Missing authorization check in SAP Fiori app ("My Overtime Requests") Product - SAP Fiori app ("My Overtime Requests"), Versions – 605 | Medium | 4.3 |
| 2897391 | [CVE-2024-24741] Missing Authorization check in SAP Master Data Governance Material Product – SAP Master Data Governance Material, Versions – 618, 619, 620, 621, 622, 800, 801, 802, 803, 804 | Medium | 4.3 |
| 3158455 | [CVE-2024-24742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) Product – SAP CRM (WebClient UI), Versions – S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801 | Medium | 4.1 |
| 3363690 | Update to Security Note released on December 2023 Patch Day: [CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance Product - SAP Master Data Governance, Versions - MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808, SAP_BS_FND 702 | Low | 3.5 |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.
SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.