SAP セキュリティパッチデー 2024 年 8 月
このページでは、SAP 製品で発見された脆弱性を改善するセキュリティノートに関する情報を共有しています。SAP ランドスケープを保護するために、優先的にパッチを適用することを強くお奨めします。
2024 年 8 月 13 日に、SAP セキュリティパッチデーに 17 の新しいセキュリティノートがリリースされました。さらに、以前にリリースされたセキュリティノートには 8 つの更新があります。
Note# | Title | Priority | CVSS |
---|---|---|---|
[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform | Hot News | ||
[CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps | Hot News | ||
3485284 | [CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service Product- SAP BEx Web Java Runtime Export Web Service, Versions - BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, BIWEBAPP 7.5 | High | |
3423268 | [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) Product- SAP S/4 HANA, Library Versions - SheetJS CE < 0.19.3 | High | |
3460407 | Update to Security Note released on June 2024 Patch Day: [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) Product- SAP NetWeaver AS Java, Version – MMR_SERVER 7.5 | High | |
3459935 | [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud Product- SAP Commerce Cloud, Versions – HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211 | High | |
3466801 | Update to Security Note released on July 2024 Patch Day: [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management Product- SAP Landscape Management, Version - VCM 3.00 | Medium | |
3495876 | [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286 Product- SAP Replication Server, Versions – 16.0.3, 16.0.4 | Medium | |
3459379 | Update to Security Note released on June 2024 Patch Day: [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) | Medium | |
3474590 | [CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework Additional CVE - CVE-2024-42377 Product- SAP Shared Service Framework, Versions – SAP_BS_FND 702, 731, 746, 747, 748 | Medium | |
3438085 | [CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server Product- SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, WEBDISP 7.53, 7.77, 7.85, 7.22_EXT, 7.89, 7.54, 7.93, KERNEL 7.22, 7.53, 7.77, 7.85, 7.89, 7.54, 7.93 | Medium | |
3482217 | Update to Security Note released on July 2024 Patch Day: [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation | Medium | |
3465455 | Update to Security Note released on June 2024 Patch Day: [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP | Medium | |
3483256 | [CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice | Medium | |
[CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce | Medium | ||
3487537 | [CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) Product – SAP CRM ABAP (Insights Management), Versions – BBPCRM 700, 701, 702, 712, 713, 714 | Medium | |
3458789 | Update to Security Note released on July 2024 Patch Day: [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) | Medium | |
3468102 | [CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP Product – SAP NetWeaver Application Server ABAP, Versions – SAP_UI 754, 755, 756, 757, 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 912 | Medium | |
3150704 | Update to Security Note released on January 2023 Patch Day: [CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) | Medium | |
3433545 | [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform Additional CVE - CVE-2024-28166, CVE-2024-41731 Product – SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 420, 430, 440 | Medium | |
3475427 | [CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work Product – SAP Permit to Work, Versions – UIS4HOP1 800, 900 | Medium | |
3477423 | [CVE-2024-39591] Missing Authorization check in SAP Document Builder | Medium | |
3479293 | [CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) | Medium | |
3494349 | [CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform | Medium | |
3454858 | Update to Security Note released on July 2024 Patch Day: [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | Medium | 4.1 |
今月のセキュリティパッチを提供してきたセキュリティ研究者や調査会社の詳細については、こちらをご覧ください。
SAP は、信頼できる製品とクラウドサービスの提供に尽力しています。安全な運用とデータの完全性を確保するには、安全な設定が不可欠です。そのため、SAP ポートフォリオに最適なセキュリティを設定できるように、この文書に統合されたセキュリティ推奨事項が文書化されています。
過去のアーカイブブログは、こちらからご覧いただけます。
この投稿に関するコメントまたはフィードバックがある場合は、secure@sap.com 宛にご連絡ください。