"SAP Patches Critical Vulnerability Exposing User, Business Data"

Enterprise software maker SAP has recently announced the release of 13 new and three updated security notes as part of its February 2024 Security Patch Day, including one addressing a critical vulnerability in the SAP ABA cross-application component.  The critical issue, a code injection bug tracked as CVE-2024-22131 (CVSS score of 9.1), could be exploited by an attacker with remote execution authorization to use a vulnerable interface to invoke an application function and perform actions without permission.  According to a NIST advisory, depending on the function executed, the attacker can read or modify any user/business data and can make the entire system unavailable.  SAP says it has addressed the flaw by adding a configurable check on external calls to the function module.  Enabled by default, the check blocks external calls, but customers can adjust its configuration to use Web Survey remote capabilities.  The vulnerability impacts SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, and 75I.  SAP also released five new security notes dealing with high-severity bugs, including cross-site scripting (XSS) and XML External Entity (XEE) injection bugs in NetWeaver AS Java, an XSS issue in CRM (WebClient UI), a code injection defect in IDES Systems, and an improper certificate validation in Cloud Connector.  SAP noted that seven medium-severity flaws impacting Bank Account Management, Companion, NetWeaver Application Server ABAP (SAP Kernel), NetWeaver Business Client for HTML, Fiori, Master Data Governance Material, and CRM (WebClient UI) were also resolved.  SAP also recently announced updates for a hot news note delivering patches for 33 vulnerabilities in the Chrome browser for Business Client, a high-priority note addressing an information disclosure bug in NetWeaver Application Server ABAP, and a low-priority note fixing a directory traversal issue in Master Data Governance.  Users are advised to apply the patches as soon as possible.  SAP has not mentioned if these vulnerabilities were being exploited in attacks, but threat actors are known to have targeted flaws in SAP products for which fixes have been released.

SecurityWeek reports: "SAP Patches Critical Vulnerability Exposing User, Business Data"