SAP Family February 2024 Routine Security Update Advisory

Overview

 

SAP has made available an update that addresses vulnerabilities in the products it has been made. Users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-22131

• SAP Application Basis (ABA) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I

 

CVE-2024-22126

• SAP_SE SAP NetWeaver AS Java (User Admin Application) 7.50 version

 

CVE-2024-24743

• SAP_SE SAP NetWeaver AS Java (Guided Procedures) Version 7.50

 

CVE-2024-22130

• SAP_SE SAP CRM WebClient UI S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801 Versions

 

CVE-2024-22132

• SAP_SE All versions of SAP IDES Systems

 

CVE-2024-25642

• SAP_SE SAP Cloud Connector version 2.0

 

CVE-2023-49580

• SAP_SE SAP GUI for Windows and SAP GUI for Java SAP_BASIS 755, 756, 757, 758 versions

 

CVE-2024-24739

• SAP_SE SAP Bank Account Management (BAM) SAP_FIN 618, SAP_FIN 730, S4CORE 100, 101 versions

 

CVE-2024-22129

• SAP_SE SAP Companion 3.1.38 prior to versions

 

CVE-2024-24740

• SAP_SE SAP NetWeaver Application Server ABAP (SAP Kernel) KERNEL 7.53, 7.54, 7.77, 7.85, 7.89, 7.93, 7.94
• SAP_SE SAP NetWeaver Application Server ABAP (SAP Kernel) KRNL64UC 7.53

 

CVE-2024-22128

• SAP_SE SAP NetWeaver Business Client for HTML SAP_UI 754, 755, 756, 757, 758
• SAP_SE SAP NetWeaver Business Client for HTML SAP_BASIS 700, 701, 702, 731

 

CVE-2024-25643

• SAP_SE SAP Fiori app (My Overtime Requests) version 605

 

CVE-2024-24741

• SAP_SE SAP Master Data Governance Material 618, 619, 620, 621, 622, 800, 801, 803, 804

 

CVE-2024-24742

• SAP_SE SAP CRM (WebClient UI) S4FND 102, 103, 104, 105, 106
• SAP_SE SAP CRM (WebClient UI) WEBCUIF 701, 731, 746, 747, 748, 800, 801

 

CVE-2023-49058

• SAP_SE SAP Master Data Governance MDG_FND 731, 732, 746, 747, 748, 749, 752, 800. 802, 803, 804, 805, 806, 807, 808
• SAP_SE SAP Master Data Governance SAP_BS_FND 702

 

Resolved Vulnerabilities

 

Code Injection Vulnerability in SAP ABA (CVE-2024-22131, CVSS 9.1)
Cross Site Scripting Vulnerability in SAP NetWeaver AS Java (User Management Application) (CVE-2024-22126, CVSS 8.8)
XXE Vulnerability in SAP NetWeaver AS Java (CVE-2024-24743, CVSS 8.6)
XSS Vulnerability in CRM WebClient UI in SAP (CVE-2024-22130, CVSS 7.6)
Code Injection Vulnerability in SAP IDES system (CVE-2024-22132, CVSS 7.4)
Sensitive Information Access Vulnerability due to improper certificate validation in SAP Cloud Connector (CVE-2024-25642, CVSS 7.4)
Information Disclosure Vulnerability in SAP GUI for Windows and SAP GUI for Java (CVE-2023-49580, CVSS 7.3)
Missing Authorization Check Vulnerability in SAP Bank Account Management (BAM) (CVE-2024-24739, CVSS 6.3)
Cross Site Scripting (XSS) Vulnerability in SAP Companion (CVE-2024-22129, CVSS 5.4)
Information Disclosure Vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel) (CVE-2024-24740, CVSS 5.3)
Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML (CVE-2024-22128, CVSS 4.7)
Privilege Escalation Vulnerability due to failure to perform authorization checks for authenticated users in SAP Fiori apps (CVE-2024-25643, CVSS 4.3)
Privilege Escalation Vulnerability due to failure to perform authorization checks for authenticated users in SAP Master Data Governance for Material Data (CVE-2024-24741, CVSS 4.3)
Cross Ssite Scripting (XSS) Vulnerability in SAP CRM (WEBCLIENT UI) (CVE-2024-24742, CVSS 4.1)
Directory Traversal Vulnerability in SAP Master Data Governance (CVE-2023-49058, CVSS 3.5)

 

Vulnerability Patches

 

Vulnerability patches were made available in the February 13, 2024 update. Please follow the information on the reference site [1] to update to the latest vulnerability patch version.

 

Referenced Sites

 

[1] SAP Security Patch Day – February 2024
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html
[2] CVE-2024-22131
https://www.cve.org/CVERecord?id=CVE-2024-22131
[3] CVE-2024-22126
https://www.cve.org/CVERecord?id=CVE-2024-22126
[4] CVE-2024-24743
https://www.cve.org/CVERecord?id=CVE-2024-24743
[5] CVE-2024-22130
https://www.cve.org/CVERecord?id=CVE-2024-22130
[6] CVE-2024-22132
https://www.cve.org/CVERecord?id=CVE-2024-22132
[7] CVE-2024-25642
https://www.cve.org/CVERecord?id=CVE-2024-25642
[8] CVE-2023-49580
https://www.cve.org/CVERecord?id=CVE-2023-49580
[9] CVE-2024-24739
https://www.cve.org/CVERecord?id=CVE-2024-24739
[10] CVE-2024-22129
https://www.cve.org/CVERecord?id=CVE-2024-22129
[11] CVE-2024-24740
https://www.cve.org/CVERecord?id=CVE-2024-24740
[12] CVE-2024-22128
https://www.cve.org/CVERecord?id=CVE-2024-22128
[13] CVE-2024-25643
https://www.cve.org/CVERecord?id=CVE-2024-25643
[14] CVE-2024-24741
https://www.cve.org/CVERecord?id=CVE-2024-24741
[15] CVE-2024-24742
https://www.cve.org/CVERecord?id=CVE-2024-24742
[16] CVE-2023-49058
https://www.cve.org/CVERecord?id=CVE-2023-49058