This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.
On 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 2 updates to previously released Security Notes.
Note# | Title | Severity | CVSS |
---|---|---|---|
3412456 | [CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA Library- @sap/xssec, Versions – < 3.6.0 Library- @sap/approuter, Versions – 14.4.2 | Hot News | 9.1 |
3413475 | [Multiple CVEs] Escalation of Privileges in SAP Edge Integration Cell Related CVEs – CVE-2023-49583, CVE-2023-50422 Product - SAP Edge Integration Cell, Versions >= 8.9.13 | Hot News | 9.1 |
3411067 | Update to Security Note released on December 2023 Patch Day: [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries CVEs – CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, CVE-2023-50424 Library- @sap/xssec, Versions – < 3.6.0 Library- cloud-security-services-integration-library, Versions – < 2.17.0 & from 3.0.0 before 3.3.0 Library- sap-xssec, Versions – < 4.1.0 Library- github.com/sap/cloud-security-client-go, Versions – < 0.17.0 | Hot News | 9.1 |
3411869 | [CVE-2024-21737] Code Injection vulnerability in SAP Application Interface Framework (File Adapter) Product – SAP Application Interface Framework (File Adapter), Version – 702 | High | 8.4 |
3389917 | [CVE-2023-44487] Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform Product – SAP Web Dispatcher, Versions – WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.85, WEBDISP 7.89, WEBDISP 7.90, WEBDISP 7.94, WEBDISP 7.95, Product – SAP NetWeaver AS ABAP and ABAP Platform, Versions – KRNL64UC 7.53, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.94, KERNEL 7.93, KERNEL 7.95 | High | 7.5 |
3386378 | [CVE-2024-22125] Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) Product - Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge), Version – 1.0 | High | 7.4 |
3407617 | [CVE-2024-21735] Improper Authorization check in SAP LT Replication Server Product – SAP LT Replication Server, Versions – S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108 | High | 7.3 |
3260667 | [CVE-2024-21736] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) Product – SAP S/4HANA Finance (Advanced Payment Management), Version – SAPSCORE 128, S4CORE 10 | Medium | 6.4 |
3324732 | Update to Security Note released on July 2023 Patch Day: [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) Product - SAP NetWeaver AS for Java (Log Viewer), Version – ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50 | Medium | 5.3 |
3387737 | [CVE-2024-21738] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform Product – SAP NetWeaver ABAP Application Server and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 79 | Medium | 4.1 |
3392626 | [CVE-2024-22124] Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager Product – SAP NetWeaver (Internet Communication Manager), Versions – KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54 | Medium | 4.1 |
3190894 | [CVE-2024-21734] URL Redirection vulnerability in SAP Marketing (Contacts App) Product – SAP Marketing (Contacts App), Version – 160 | Low | 3.7 |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.
SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Reference : SAP Security Patch Day – January 2024