The October 2024 SAP Security Notes feature a critical update for a missing authentication check in SAP BusinessObjects (BOBJ) that can compromise SSO tickets. Other high-risk notes address a file upload vulnerability in BOBJ, open-source library issues in SAP Enterprise Project Connection, and information disclosure in NetWeaver.
SAP’s October 2024 security update is led by a critical patch for SAP BusinessObjects. Note 3479478 addresses a missing authentication check that could allow attackers to compromise Single Sign-On logon tickets. Another high-risk note for BOBJ, 3478615, patches a file upload and execution vulnerability that requires both a patch and manual ACL configuration. Additionally, SAP released note 3523541 to update vulnerable Spring Framework and Log4j libraries within SAP Enterprise Project Connection. Finally, two information disclosure vulnerabilities were fixed in SAP NetWeaver AS ABAP and AS Java via notes 3454858 and 3477359, which could have exposed file system information and RFC credentials.
Key Takeaways
- A critical missing authentication vulnerability in SAP BOBJ (Note 3479478) requires immediate attention.
- A high-risk file upload vulnerability in BOBJ (Note 3478615) needs both a patch and ACL maintenance.
- Vulnerable open-source libraries (Spring, Log4j) were updated in SAP Enterprise Project Connection via Note 3523541.
- Information disclosure flaws were patched in SAP NetWeaver AS ABAP and AS Java.
What are the October 2024 SAP Security Notes?
The table below summarizes the key vulnerabilities addressed in the October 2024 patch release.
| SAP Note | Vulnerability | Affected System(s) | Risk Level |
|---|---|---|---|
| 3479478 | Critical Missing Authentication Check | SAP BusinessObjects (BOBJ) | Hot News (Critical) |
| 3478615 | Unrestricted File Upload / Malicious File Execution | SAP BusinessObjects (BOBJ) | High |
| 3523541 | Vulnerabilities in Spring Framework & Log4j | SAP Enterprise Project Connection | High |
| 3454858 | Information Disclosure | SAP NetWeaver AS ABAP | Medium |
| 3477359 | Information Disclosure | SAP NetWeaver AS Java | Medium |
What action is required for the BOBJ vulnerabilities?
For the critical vulnerability in Note 3479478, applying the provided patch for BOBJ 4.2 SP009 is essential to fix the missing authentication check that exposes SSO logon tickets. A workaround is available that involves disabling trusted authentication in the BIPRWS Web Application.
For the high-risk vulnerability in Note 3478615, administrators must apply the relevant support package patch and also create and maintain an access control list (ACL) to restrict which folders can contain personal data providers. Simply applying the patch is not sufficient to mitigate this vulnerability.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability in October 2024?
The most critical vulnerability was a missing authentication check in SAP BusinessObjects Business Intelligence Platform, addressed in Hot News note 3479478. This flaw could allow an attacker to compromise logon tickets used for Single Sign-On.
What action is required for the BOBJ file upload vulnerability (Note 3478615)?
Fixing this high-risk vulnerability requires two steps: applying the relevant support package patch and creating/maintaining an access control list (ACL). The ACL is necessary to define which folders can contain personal data providers to prevent malicious file execution.
Were any open-source library vulnerabilities patched?
Yes, note 3523541 addresses multiple vulnerabilities in the Spring Framework and Log4j open-source libraries that are included in SAP Enterprise Project Connection. The patch updates the libraries to their secure versions.