SAP Security Patch Day – September 2024

This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 10th of September 2024, SAP Security Patch Day saw the release of 16 new Security Notes. Further, there were 3 updates to previously released Security Notes.

Note#TitlePriorityCVSS
3479478

Update to Security Note released on August 2024 Patch Day:  

[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
Product - SAP BusinessObjects Business Intelligence Platform, Versions - ENTERPRISE 430, 440

Hot News9.8
3459935

Update to Security Note released on August 2024 Patch Day:

[CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud  

Product - SAP Commerce Cloud, Versions - HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211

High7.4
3495876

Update to Security Note released on August 2024 Patch Day:

[Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)  

CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286

Product - SAP Replication Server, Versions - 16.0.3, 16.0.4

Medium6.5
3488341[CVE-2024-45286] Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface)
Product - SAP Production and Revenue Accounting (Tobin interface), Versions - S4CEXT 106, S4CEXT 107, S4CEXT 108, IS-PRA 605, IS-PRA 606, IS-PRA 616, IS-PRA 617, IS-PRA 618, IS-PRA 800, IS-PRA 801, IS-PRA 802, IS-PRA 803, IS-PRA 804, IS-PRA 805		Medium6.5
3497347[CVE-2024-42378] Cross-Site Scripting (XSS) in eProcurement on S/4HANA 
Product  - SAP S/4HANA eProcurement, Versions - SAP_APPL 606, SAP_APPL 617, SAP_APPL 618, S4CORE 102, S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108		Medium6.1
3501359[CVE-2024-45279] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP(CRM Blueprint Application Builder Panel) 
Product - SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel), Versions – 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I		Medium6.1
3477359[CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service) 
Product - SAP NetWeaver AS for Java (Destination Service), Versions - 7.50		Medium6.0
3430336[CVE-2013-3587] Information Disclosure vulnerability in SAP Commerce Cloud 
Product - SAP Commerce Cloud, Version - COM_CLOUD 2211		Medium5.9
3425287[CVE-2024-45281] DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform 
Product - SAP BusinessObjects Business Intelligence Platform, Version - 430		Medium5.8
3488039

[Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform

CVEs - CVE-2024-42371, CVE-2024-44117, CVE-2024-45285, CVE-2024-42380, CVE-2024-44115, CVE-2024-44116

Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912

Medium5.4
3505503[CVE-2024-45280] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application)
Product - SAP NetWeaver AS Java (Logon Application), Version - 7.50		Medium4.8
3498221

[CVE-2024-44120] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Product - SAP NetWeaver Enterprise Portal, Version - 7.50

Medium4.7   
3481992

[CVE-2024-44113] Information Disclosure vulnerability in the SAP Business Warehouse (BEx Analyzer)  

Product - SAP Business Warehouse (BEx Analyzer), Versions - DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758

Medium4.3
3481588

[CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer)

Product - SAP NetWeaver BW (BEx Analyzer), Versions - DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758

Medium4.3
3437585

[CVE-2024-44121] Information Disclosure in SAP S/4 HANA (Statutory Reports)

Product - SAP S/4 HANA, Version – 900

Medium  4.3
3505293    [CVE-2024-44112] Missing Authorization check in SAP for Oil & Gas (Transportation and Distribution) 
Product - SAP for Oil & Gas, Versions – 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806, 807, 807		Medium4.3
2256627[CVE-2024-45284] Missing authorization check in SAP Student Life Cycle Management (SLcM) 
Product - SAP Student Life Cycle Management (SLcM), Versions – 617, 618, 800, 802, 803, 804, 805, 806, 807, 808		Low2.7
3496410[CVE-2024-41728] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform 
Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, Version – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912		Low2.7
3507252[CVE-2024-44114] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform 
Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912		Low2.0

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.

Archived blogs from previous years are available here.

If you have any comments or feedback about this post, you can write to secure@sap.com.

SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.