SAP has released its August 2024 security patch update, addressing 17 new vulnerabilities, including two critical flaws that could allow attackers to bypass authentication and fully compromise affected systems.
The most severe vulnerability, CVE-2024-41730, affects SAP BusinessObjects Business Intelligence Platform versions 430 and 440. With a CVSS score of 9.8, this “missing authentication check” flaw enables unauthorized users to obtain a logon token via a REST endpoint if Single Sign-On is enabled on Enterprise authentication.
Successful exploitation could lead to full system compromise, impacting confidentiality, integrity, and availability.
The second critical vulnerability, CVE-2024-29415, is a server-side request forgery flaw in applications built with SAP Build Apps older than version 4.11.130. Rated 9.1 on the CVSS scale, this vulnerability stems from a weakness in the ‘IP’ package for Node.js.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
SAP High-Severity Vulnerabilities
SAP’s security bulletin also includes four high-severity vulnerabilities:
- CVE-2024-42374: XML injection issue in SAP BEx Web Java Runtime Export Web Service (CVSS 8.2).
- CVE-2023-30533: Prototype pollution flaw in SAP S/4 HANA’s Manage Supply Protection module (CVSS 7.8).
- CVE-2024-34688: Denial of Service vulnerability in SAP NetWeaver AS Java’s Meta Model Repository component (CVSS 7.5).
- CVE-2024-33003: Information disclosure issue in SAP Commerce Cloud (CVSS score not provided).
Given SAP’s widespread use among Fortune 2000 companies, these vulnerabilities pose significant risks to corporate networks and sensitive business data. SAP has released patches to address these issues, and it is strongly recommended that affected organizations apply them immediately.
For CVE-2024-41730, patches are available for:
- SBOP BI PLATFORM SERVERS 4.3 – Patch Level SP005
- SBOP BI PLATFORM SERVERS 2025 – Patch Level SP00
- SBOP BI PLATFORM SERVERS 4.3 – Patch Level SP004
No workarounds have been provided, making patch application the only viable mitigation strategy.
Organizations using SAP products should treat these vulnerabilities with utmost urgency to protect their critical business data and operations.
While there are no reported exploits in the wild for CVE-2024-41730, it’s important to note that the absence of evidence doesn’t necessarily mean exploits don’t exist or aren’t being developed.
Given the critical nature of the vulnerability and its high CVSS score, it’s advisable for organizations using affected SAP BusinessObjects Business Intelligence Platform versions to apply the available patches as soon as possible to mitigate potential risks.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces