SAP Security Patch Day – November 2024

This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 12th of November 2024, SAP Security Patch Day saw the release of 8 new Security Notes. Further, there were 2 updates to previously released Security Notes.

Note#

Title

Priority

CVSS 

3520281

[CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher

Product- SAP Web Dispatcher, Versions – WEBDISP 7.77, 7.89, 7.93, KERNEL 7.77, 7.89, 7.93, 9.12, 9.13

High

8.8

3483344

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-39592] Missing Authorization check in SAP PDCE

Product – SAP PDCE, Version – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108

High

7.7

3335394

[CVE-2024-42372] Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory)

Product- SAP NetWeaver AS Java (System Landscape Directory), Versions – LM-SLD 7.5

Medium

6.5

3509619

[CVE-2024-47595] Local Privilege Escalation in SAP Host Agent
Product - SAP Host Agent, Version – SAPHOSTAGENT 7.22

Medium

6.3

3393899

[CVE-2024-47592] Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application)

Product- SAP NetWeaver Application Server Java (Logon Application), Versions – SERVERCORE 7.5

Medium

5.3

3504390

[CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.12, 9.13

Medium

5.3

3522953

[CVE-2024-47588] Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager)
Product - SAP NetWeaver Java (Software Update Manager),
Versions - SUM 1.1

Medium

4.7

3508947

[CVE-2024-47593] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver Application Server ABAP, Versions – KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12

Medium

4.3

3498470

[CVE-2024-47587] Missing authorization check in SAP Cash Management (Cash Operations)
Product - SAP Cash Management (Cash Operations), Version - S4CORE 103, 104, 105, 106, 107, 108

Low

3.5

3392049

Update to Security Note released on May 2024 Patch Day:

[CVE-2024-33000] Missing Authorization check in SAP Bank Account Management
Product - SAP Bank Account Management, Version - 100, 101, 102, 103, 104, 105, 106, 107, 108

Low

3.5

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.

Archived blogs from previous years are available here.

If you have any comments or feedback about this post, you can write to secure@sap.com.

SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.