-
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day – November 2024
This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.
On 12th of November 2024, SAP Security Patch Day saw the release of 8 new Security Notes. Further, there were 2 updates to previously released Security Notes.
Note# | Title | Priority | CVSS |
---|---|---|---|
[CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher Product- SAP Web Dispatcher, Versions – WEBDISP 7.77, 7.89, 7.93, KERNEL 7.77, 7.89, 7.93, 9.12, 9.13 | High | ||
Update to Security Note released on July 2024 Patch Day: [CVE-2024-39592] Missing Authorization check in SAP PDCE Product – SAP PDCE, Version – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108 | High | ||
[CVE-2024-42372] Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory) Product- SAP NetWeaver AS Java (System Landscape Directory), Versions – LM-SLD 7.5 | Medium | ||
[CVE-2024-47595] Local Privilege Escalation in SAP Host Agent | Medium | ||
[CVE-2024-47592] Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application) Product- SAP NetWeaver Application Server Java (Logon Application), Versions – SERVERCORE 7.5 | Medium | ||
[CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.12, 9.13 | Medium | ||
[CVE-2024-47588] Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager) | Medium | ||
[CVE-2024-47593] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | Medium | ||
[CVE-2024-47587] Missing authorization check in SAP Cash Management (Cash Operations) | Low | ||
Update to Security Note released on May 2024 Patch Day: [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management | Low |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.
SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.