SAP’s August 2024 security advisories address several critical vulnerabilities, including a Server-Side Request Forgery (SSRF) in SAP Build Apps and a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). These high-priority patches require immediate attention to prevent potential system compromise and data leakage.
The August 2024 SAP Patch Day released fixes for multiple high-impact vulnerabilities. A critical “Hot News” note, 3477196, addresses an SSRF flaw (CVE-2024-29415) in SAP Build Apps, which requires applications to be rebuilt to mitigate the risk. Another Hot News note, 3479478, patches a missing authentication vulnerability (CVE-2024-41730) in the SAP BOBJ platform that could allow attackers to compromise single sign-on tickets. Additionally, SAP released a high-priority fix for an XML injection vulnerability in SAP Business Intelligence (Note 3485284) and a patch for an information disclosure issue in SAP Commerce Cloud (Note 3459935) that could expose sensitive Personally Identifiable Information (PII). Administrators should prioritize applying these patches to secure their SAP landscapes.
Key Takeaways
- A critical SSRF vulnerability (CVE-2024-29415) was found in SAP Build Apps.
- SAP BOBJ was patched for a missing authentication check (CVE-2024-41730).
- A high-priority XML injection flaw was fixed in SAP Business Intelligence.
- An information disclosure vulnerability in SAP Commerce Cloud could leak PII.
- Administrators must rebuild SAP Build Apps and apply patches for BOBJ and Commerce Cloud.
August 2024 SAP Security Note Summary
The following table summarizes the key vulnerabilities addressed in the August 2024 security notes.
| SAP Note | CVE | Severity | Vulnerability Type | Affected Product(s) | Required Action |
|---|---|---|---|---|---|
| 3477196 | CVE-2024-29415 | Hot News | Server-Side Request Forgery (SSRF) | SAP Build Apps | Rebuild applications with version 4.11.130 or later. |
| 3479478 | CVE-2024-41730 | Hot News | Missing Authentication Check | SAP BusinessObjects Business Intelligence Platform (BOBJ) | Apply the patch to secure the default SSO configuration. |
| 3485284 | N/A | High | XML Injection | SAP Business Intelligence 7.50 (BEx Web Java Runtime) | Apply the patch to fix the PDF export service. |
| 3459935 | N/A | Medium | Information Disclosure | SAP Commerce Cloud | Replace vulnerable API endpoints with new secure variants. |
What was the critical SSRF vulnerability in SAP Build Apps? (Note 3477196)
Hot News note 3477196 addresses a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2024-29415, in applications constructed with SAP Build Apps. The flaw originates from an outdated Node.js library used by AppGyver, an open-source platform integral to SAP Build Apps. To remediate this, organizations must rebuild their applications using version 4.11.130 or a later release of SAP Build Apps.
What was the authentication vulnerability in SAP BOBJ? (Note 3479478)
Hot News note 3479478 patches a missing authentication check in the SAP BusinessObjects Business Intelligence Platform (BOBJ), tracked as CVE-2024-41730. This vulnerability could be exploited by attackers to compromise logon tickets used for single sign-on via a REST endpoint. The provided fix secures the default configuration of single-sign-on enterprise authentication.
What was the XML injection vulnerability in SAP Business Intelligence? (Note 3485284)
Note 3485284 is a high-priority patch for an XML injection vulnerability found in the Export Web Service of the BEx Web Java Runtime within SAP Business Intelligence version 7.50. The issue specifically affects the PDF export functionality that utilizes Java ALV and ADS. Applying the note resolves this injection flaw.
What was the information disclosure flaw in SAP Commerce Cloud? (Note 3459935)
Note 3459935 fixes an information disclosure vulnerability in SAP Commerce Cloud that could result in the leakage of Personally Identifiable Information (PII). Exposed data could include passwords, email addresses, mobile numbers, and coupon codes through query or path parameters in specific API endpoints. The note provides a workaround and requires that vulnerable endpoints be replaced with the new, secure versions detailed in the solution.
Frequently Asked Questions (FAQ)
What is an SAP Hot News note?
An SAP Hot News note is a Priority 1 security patch that addresses critical vulnerabilities within SAP products. These notes typically have a high Common Vulnerability Scoring System (CVSS) score, often between 9.0 and 10.0, and require immediate attention from system administrators to prevent severe exploits or system disruptions.
What is a Server-Side Request Forgery (SSRF) vulnerability?
A Server-Side Request Forgery (SSRF) is a security vulnerability that allows an attacker to force a server-side application to make requests to an unintended location. This can be used to access internal-only services, read sensitive data like configuration files, or interact with other back-end systems that the server has access to.
Which SAP products had major vulnerabilities in August 2024?
The August 2024 security notes highlighted major vulnerabilities in SAP Build Apps, SAP BusinessObjects Business Intelligence Platform (BOBJ), SAP Business Intelligence, and SAP Commerce Cloud.