-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day – January 2024
This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.
On 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 2 updates to previously released Security Notes.
| Note# | Title | Severity | CVSS |
|---|---|---|---|
| [CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA Library- @sap/xssec, Versions – < 3.6.0 Library- @sap/approuter, Versions – 14.4.2 | Hot News | ||
[Multiple CVEs] Escalation of Privileges in SAP Edge Integration Cell | Hot News | ||
| Update to Security Note released on December 2023 Patch Day: [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries CVEs - CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, CVE-2023-50424 Library- @sap/xssec, Versions – < 3.6.0 Library- cloud-security-services-integration-library, Versions – < 2.17.0 & from 3.0.0 before 3.3.0 Library- sap-xssec, Versions – < 4.1.0 Library- github.com/sap/cloud-security-client-go, Versions - < 0.17.0 | Hot News | ||
[CVE-2024-21737] Code Injection vulnerability in SAP Application Interface Framework (File Adapter) | High | ||
[CVE-2023-44487] Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform | High | ||
[CVE-2024-22125] Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) | High | ||
[CVE-2024-21735] Improper Authorization check in SAP LT Replication Server | High | ||
[CVE-2024-21736] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) | Medium | ||
| Update to Security Note released on July 2023 Patch Day: [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) Product - SAP NetWeaver AS for Java (Log Viewer), Version - ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50 | Medium | ||
[CVE-2024-21738] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform | Medium | ||
[CVE-2024-22124] Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager | Medium | ||
[CVE-2024-21734] URL Redirection vulnerability in SAP Marketing (Contacts App) | Low |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.
SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.