SAP セキュリティパッチデー 2024 年 8 月

このページでは、SAP 製品で発見された脆弱性を改善するセキュリティノートに関する情報を共有しています。SAP ランドスケープを保護するために、優先的にパッチを適用することを強くお奨めします。

2024 年 8 月 13 日に、SAP セキュリティパッチデーに 17 の新しいセキュリティノートがリリースされました。さらに、以前にリリースされたセキュリティノートには 8 つの更新があります。

Note#
Title

Priority 

CVSS  

3479478

[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform 
Product - SAP BusinessObjects Business Intelligence Platform, Version – ENTERPRISE 430, 440

Hot News

9.8

3477196

[CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps 
Product - SAP Build Apps, Versions < 4.11.130

Hot News

9.1

3485284

[CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service 

Product- SAP BEx Web Java Runtime Export Web Service, Versions - BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, BIWEBAPP 7.5

High

8.2

3423268

[CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) 

Product- SAP S/4 HANA, Library Versions - SheetJS CE < 0.19.3

High

7.8

3460407

Update to Security Note released on June 2024 Patch Day:

[CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)

Product- SAP NetWeaver AS Java, Version – MMR_SERVER 7.5

High 

7.5

3459935

[CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud  

Product- SAP Commerce Cloud, Versions – HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211

High 

7.4

3466801

Update to Security Note released on July 2024 Patch Day:  

[CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management

Product- SAP Landscape Management, Version - VCM 3.00

Medium 

6.9  

3495876

[Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)

CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286

Product- SAP Replication Server, Versions – 16.0.3, 16.0.4 

Medium 

6.5

3459379

Update to Security Note released on June 2024 Patch Day:

[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) 
Product - SAP Document Builder, Versions – S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748

Medium

6.5

3474590[CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework 

Additional CVE - CVE-2024-42377

Product- SAP Shared Service Framework, Versions – SAP_BS_FND 702, 731, 746, 747, 748

Medium 

6.5  

3438085[CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server 
Product- SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, WEBDISP 7.53, 7.77, 7.85, 7.22_EXT, 7.89, 7.54, 7.93, KERNEL 7.22, 7.53, 7.77, 7.85, 7.89, 7.54, 7.93

Medium 

6.3  

3482217

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation 
Product- SAP Business Warehouse - Business Planning and Simulation, Versions – SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, SAP_BW_VIRTUAL_COMP 701

Medium 

6.1  

3465455

Update to Security Note released on June 2024 Patch Day:

[CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP 
Product- SAP BW/4HANA Transformation and Data Transfer Process, Versions – DW4CORE 200, 300, 400, 796, SAP_BW 740, 750, 751, 752, 753, 754, 755, 756, 757, 758

Medium 

5.5  

3483256

[CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice 
Product – SAP Commerce Backoffice, Version – HY_COM 2205

Medium

5.4

3471450

[CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce 
Product – SAP Commerce, Versions – HY_COM 2205, COM_CLOUD 2211

Medium

5.3

3487537[CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) 
Product – SAP CRM ABAP (Insights Management), Versions – BBPCRM 700, 701, 702, 712, 713, 714

Medium

5.0

3458789

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)  
Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

5.0

3468102[CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP 
Product – SAP NetWeaver Application Server ABAP, Versions – SAP_UI 754, 755, 756, 757, 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 912
Medium

4.7

3150704

Update to Security Note released on January 2023 Patch Day:

[CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) 
Product – SAP Bank Account Management (Manage Banks), Versions – 800, 900

Medium

4.5

3433545

[CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform

Additional CVE - CVE-2024-28166, CVE-2024-41731

Product – SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 420, 430, 440

Medium 

4.3

3475427[CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work 
Product – SAP Permit to Work, Versions – UIS4HOP1 800, 900

Medium

4.3

3477423

[CVE-2024-39591] Missing Authorization check in SAP Document Builder 
Product – SAP Document Builder, Versions – S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, SAP_BS_FND 702, SAP_BS_FND 731, SAP_BS_FND 746, SAP_BS_FND 747, SAP_BS_FND 748

Medium

4.3

3479293

[CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) 
Product – SAP Student Life Cycle Management (SLcM), Versions – IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807, 808

Medium

4.3

3494349

[CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform 
Product – SAP NetWeaver Application Server ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912

Medium

4.3

3454858

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform 
Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

4.1

今月のセキュリティパッチを提供してきたセキュリティ研究者や調査会社の詳細については、こちらをご覧ください。

 

SAP は、信頼できる製品とクラウドサービスの提供に尽力しています。安全な運用とデータの完全性を確保するには、安全な設定が不可欠です。そのため、SAP ポートフォリオに最適なセキュリティを設定できるように、この文書に統合されたセキュリティ推奨事項が文書化されています。

 

過去のアーカイブブログは、こちらからご覧いただけます。

 

この投稿に関するコメントまたはフィードバックがある場合は、secure@sap.com 宛にご連絡ください。