SAP Patches Important Command Injection Vulnerabilities – Cyber Tech

Enterprise software program maker SAP on Tuesday launched 10 new and two up to date safety notes as a part of its March 2024 Safety Patch Day, calling consideration to severe bugs in business-facing merchandise.

Three of the notes are marked ‘sizzling information’ — the very best severity score in SAP’s playbook — and resolve vital vulnerabilities within the Chromium browser in Enterprise Shopper, Construct Apps, and NetWeaver AS Java.

Probably the most extreme is an replace that brings the most recent Chrome patches to Enterprise Shopper. Now operating Chromium model 121.0.6167.184, the replace resolves 29 safety defects within the browser, together with two critical-severity bugs and 15 high-severity points.

The corporate documented the second severe bug as CVE-2019-10744 (CVSS rating of 9.4), a vital vulnerability within the lodash utility library in Construct Apps. Functions constructed utilizing a flawed iteration of the instrument permit attackers to run unauthorized instructions on the system, in accordance with a warning from software safety agency Onapsis.

Construct Apps model 4.9.145 addresses the flaw and functions must be rebuilt utilizing this or a more moderen iteration of the programming instrument.

The third sizzling information word launched on SAP’s March 2024 Safety Patch Day addresses CVE-2024-22127 (CVSS rating of 9.1) a code injection flaw within the Administrator Log Viewer plugin of NetWeaver AS Java.

An incomplete checklist of file varieties prohibited for add permits an attacker to add arbitrary information, which might result in command injection.

“This may allow the attacker to run instructions which might trigger excessive impression on confidentiality, integrity, and availability of the applying. The patch offers an prolonged checklist of prohibited file varieties,” Onapsis famous.

On Tuesday, SAP additionally revealed three high-priority safety notes, together with an replace to an August 2023 word addressing an improper authentication flaw in Commerce Cloud that might permit attackers to authenticate with no passphrase.

The brand new high-priority safety notes deal with a denial-of-service bug in HANA XS Traditional and HANA XS Superior, associated to the usage of the HTTP/2 protocol, and a path traversal problem within the central administration console of the BusinessObjects Enterprise Intelligence Platform, which exists due to a weak model of Apache Struts.

The remaining six safety notes deal with medium-severity vulnerabilities in NetWeaver, Fiori Entrance Finish Server, and ABAP Platform.

SAP makes no point out of any of those vulnerabilities being exploited within the wild, however menace actors are recognized to have focused flaws in SAP functions for which patches have been launched.

Associated: SAP Patches Important Vulnerability Exposing Consumer, Enterprise Knowledge

Associated: SAP’s First Patches of 2024 Resolve Important Vulnerabilities

Associated: Patch Tuesday: Adobe Patches Important Flaws in Enterprise Merchandise

Associated: SAP Patches Important Vulnerability in Enterprise Know-how Platform