The most critical SAP security notes of 2024 addressed severe vulnerabilities, including two “hot news” notes with a 9.8 CVSS score. These critical patches fixed flaws like missing authentication in SAP BusinessObjects and code injection in SAP CX Commerce, which could lead to complete system compromise if left unpatched.
In 2024, SAP released over 150 security notes to fix vulnerabilities across its product landscape, with an average CVSS score of 5.9. Approximately a quarter of these were classified as high priority or “hot news,” indicating a significant risk to business operations. Key vulnerabilities addressed this year included missing authentication checks, remote code execution, file upload bypasses, and Server-Side Request Forgery (SSRF). These issues affected major platforms such as SAP BusinessObjects (BOBJ), SAP CX Commerce, and SAP NetWeaver Application Servers (AS ABAP and AS Java). Organizations are strongly advised to prioritize the implementation of “hot news” notes or apply the specified workarounds to mitigate potential threats.
Key Takeaways
- Two security notes received a CVSS score of 9.8: Note 3479478 for SAP BusinessObjects and Note 3455438 for SAP CX Commerce.
- A critical file upload vulnerability (CVSS 9.6) in SAP NetWeaver AS ABAP was patched under Note 3448171.
- Common high-impact vulnerability types in 2024 included code injection, missing authentication, and Server-Side Request Forgery (SSRF).
- SAP released over 150 security notes in 2024, with roughly 25% categorized as high priority or “hot news”.
- Applying “hot news” patches or their documented workarounds should be the top priority for system administrators.
What Are SAP Security Notes?
SAP Security Notes are patches released by SAP on the second Tuesday of each month to address newly discovered vulnerabilities in its software solutions. These vulnerabilities are found by both internal SAP teams and external security researchers. Each note is scored using the Common Vulnerability Scoring System (CVSS), which provides a severity score from 0 to 10, and is assigned a priority level by SAP. The most critical notes are designated as “hot news”.
Which SAP Security Notes Were Most Critical in 2024?
The most critical notes of 2024 were distinguished by their high CVSS scores and the potential impact of the vulnerabilities they address. The following table summarizes the key “hot news” and high-priority notes released throughout the year.
| Note / CVE | CVSS Score | Affected Product(s) | Vulnerability Summary |
|---|---|---|---|
| Note 3479478 [CVE-2024-41730] | 9.8 | SAP BusinessObjects (BOBJ) | A missing authentication check allows attackers to compromise logon tickets via a REST endpoint if SSO is enabled. |
| Note 3455438 | 9.8 | SAP CX Commerce | Code injection and remote code execution in bundled open-source components (Swagger UI, Apache Calcite Avatica). |
| Note 3448171 [CVE-2024-33006] | 9.6 | SAP NetWeaver AS ABAP | A critical file upload vulnerability that could bypass malware scanning and lead to complete system compromise. |
| Note 3413475 | 9.1 | SAP Edge Integration Cell | Multiple CVEs leading to an escalation of privileges vulnerability. |
| Note 3412456 [CVE-2023-49583] | 9.1 | SAP Business Application Studio, Web IDE | Escalation of privileges in Node.js applications due to an outdated library. |
| Note 3536965 [CVE-2024-47578] | Not Stated | SAP NetWeaver AS Java | Server-Side Request Forgery (SSRF) and information disclosure in Adobe Document Services. |
| Note 3425274 [CVE-2019-10744] | Not Stated | SAP Build Apps | Code injection vulnerability due to an outdated version of the Lodash JavaScript library. |
| Note 3477196 [CVE-2024-29415] | Not Stated | SAP Build Apps | A severe Server-Side Request Forgery (SSRF) vulnerability. |
| Note 3433192 [CVE-2024-22127] | Not Stated | SAP NetWeaver AS Java | Code injection in the Administrator Log Viewer plug-in, requiring admin privileges to exploit. |
| Note 3420923 [CVE-2024-22131] | Not Stated | SAP NetWeaver AS ABAP | A code injection vulnerability in a vulnerable RFC service. |
Frequently Asked Questions (FAQ)
What is an SAP Security Note?
An SAP Security Note is a patch released by SAP to fix security vulnerabilities in its products. They are published monthly and contain corrections, workarounds, and details about the vulnerability’s impact.
How are SAP Security Notes scored?
SAP uses the Common Vulnerability Scoring System (CVSS) version 3.0 to assign a severity score from 0 to 10. SAP also assigns a priority, with the most severe vulnerabilities labeled as “hot news”.
What was the highest CVSS score for an SAP note in 2024?
The highest CVSS score in 2024 was 9.8, assigned to two different notes: Note 3479478 for SAP BusinessObjects and Note 3455438 for SAP CX Commerce.
What should I do if I cannot apply a patch immediately?
Some SAP Security Notes include workarounds that can be applied as a temporary measure to mitigate risk if the full patch cannot be implemented right away. These should be applied as soon as possible.