Both the vulnerabilities score above 9 on CVSS and can allow access to sensitive data if not patched immediately. Credit: Nitpicker / Shutterstock SAP has sealed a bunch of severe bugs affecting its systems, including two critical vulnerabilities that can allow full system compromise. On its Security Patch Day for August 2024, the software giant rolled out fixes for a total of 17 vulnerabilities, with six hot fixes — CVSS ranging between 7 and 10 out of 10 — and other moderate to medium severity patches. The company has called for immediate patching of all these vulnerabilities with their respective updates and has also recommended workarounds for a few if patching isn’t immediately possible. Two critical vulnerabilities Of the two critical vulnerabilities addressed in the patch day, the more severe is an authentication bypass flaw (CVE-2024-41730) with a CVSS score of 9.8/10 affecting SAP’s BusinessObjects business intelligence platform, while the other is a server-side request forgery (SSRF) vulnerability in applications built with SAP Build Apps. CVE-2024-41730, as described by SAP, stems from a missing authentication check in the SAP BusinessObjects business intelligence platform. “In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint,” the ERP vendor said in a security advisory. The attacker can fully compromise the system resulting in a high impact on confidentiality, integrity, and availability, SAP added. The SSRF bug CVE-2024-29415, however, is due to an improper categorization of IP addresses in the “ip” package of Node.js. This, SAP noted, exists because of an incomplete fix for CVE-2023-42282. “The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic,” the company added. SAP is a frequent adversary target SAP vulnerabilities are a threat actors’ favorite as found by a recent study that revealed a 5x jump in ransomware attacks targeting SAP systems since 2021. Ransomware, being the leading type of attack on SAP systems, indicates a strong motivation for paydays. Other severe vulnerabilities fixed along with the two critical patches include CVE-2024-34688: Denial of service (DOS) in SAP NetWeaver AS Java, CVE-2024-42374: an XML injection in SAP BEx Web Java Runtime Export Web Service, CVE-2023-30533: Prototype Pollution in SAP S/4 HANA, and CVE-2024-33003: Information Disclosure Vulnerability in SAP Commerce Cloud. While all these vulnerabilities have been tagged for “high” severity, the exploitability can vary depending on the access prerequisites for the threat actor and the privileges they allow. Users are advised to apply these patches at the earliest to protect against attackers eager to hack into SAP systems. The study also highlighted that there was a 490% uptick in conversations on SAP vulnerabilities and exploits across the open, deep, and dark web from 2021 to 2023. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe