SAP Patch Day: October 2024

High Priority Patches for SAP Enterprise Project Connection and SAP BusinessObjects

Author: Thomas Fritsch

Highlights of October SAP Security Notes analysis include:

• October Summary—12 new and updated SAP security patches released, including one HotNews Note and three High Priority Notes
• News from Log4j and Spring framework—Vulnerabilities in the well-known open-source libraries require High Priority patch for SAP Enterprise Project Connection
• Updates on six SAP Security Notes—Patches released for additional software component versions

SAP has released twelve SAP Security Notes on its October Patch Day (including the notes that were released or updated since last Patch Tuesday) This includes one HotNews Note and three High Priority Notes.?

The HotNews Security Note #3479478, tagged with a CVSS score of 9.8, was initially released in August 2024 and patches a Missing Authentication Check vulnerability in SAP BusinessObjects Business Intelligence Platform. The note has now been updated and includes an additional patch for SAP customers who are on SBOP BI PLATFORM SERVERS 4.2 SP009.

Additional patches are also provided for a Missing Authorization Check vulnerability in SAP Product Design Cost Estimating (PDCE) that was initially fixed in July 2024 in collaboration with the Onapsis Research Labs. High Priority Note #3483344, tagged with a CVSS score of 7.7 now includes patches for the additional software components SEM-BW 600 to SEM-BW 748.

The New High Priority Notes in Detail

The Spring Framework and Log4j open-source libraries are back again on SAP Patch Day. SAP Security Note #3523541, tagged with a CVSS score of 8.0, patches multiple vulnerabilities in SAP Enterprise Project Connection by upgrading the relevant library versions. The vulnerabilities are tracked under CVE-2024-22259, CVE-2024-38809,? CVE-2024-38808, CVE-2022-23302.

SAP Security Note #3478615 affects all SAP BusinessObjects Business Intelligence Platform customers and patches an Insecure File Operations vulnerability, tagged with a CVSS score of 7.7. If not patched, authenticated users can send specially crafted requests to the Web Intelligence Reporting Server to download any file from the machine hosting the service.

Summary & Conclusions

With only twelve SAP Security Notes, including only six new notes, SAP’s October Patch Day is a calm Patch Day. We recommend checking the updated SAP Security Notes in detail since most of them were extended by patches for additional software component versions.

As always, the Onapsis Research Labs are already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, watch our monthly Defenders Digest or subscribe to The Defenders Monthly on LinkedIn.