Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day – January 2024

On January 9th, 2024, SAP released a crucial set of security patches. These updates are essential for addressing a variety of vulnerabilities discovered in different SAP components. The primary focus of this SAP Security Patch Day is on fixing program errors that could result in significant security vulnerabilities. Below, you will find a comprehensive summary of the security notes issued, sorted by their severity based on the Common Vulnerability Scoring System (CVSS) scores:

Vulnerability ID CVE Number Description CVSS Score Release Date Update Date
3413475 Multiple CVEs Escalation of Privileges in SAP Edge Integration Cell 9.1 09.01.2024 09.01.2024
3412456 CVE-2023-49583 Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA 9.1 09.01.2024 09.01.2024
3411869 CVE-2024-21737 Code Injection vulnerability in SAP Application Interface Framework (File Adapter) 8.4 09.01.2024 09.01.2024
3386378 CVE-2024-22125 Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) 7.4 09.01.2024 09.01.2024
3389917 CVE-2023-44487 Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform 7.5 09.01.2024 09.01.2024
3407617 CVE-2024-21735 Improper Authorization check in SAP LT Replication Server 7.3 09.01.2024 09.01.2024
3260667 CVE-2024-21736 Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) 6.4 09.01.2024 09.01.2024
3392626 CVE-2024-22124 Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager 4.1 09.01.2024 09.01.2024
3387737 CVE-2024-21738 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform 4.1 09.01.2024 09.01.2024
3190894 CVE-2024-21734 URL Redirection vulnerability in SAP Marketing (Contacts App) 3.7 09.01.2024 09.01.2024

Statistics:

  • Total new SAP notes released: 10
  • Total vulnerabilities addressed: 10
  • Highest CVSS Score: 9.1 (HotNews)

Top 3 Critical Issues:

  1. BC-CP-IS-EDG-DPL & CA-BAS-S8D [Multiple CVEs & CVE-2023-49583]: Escalation of Privileges in SAP Edge Integration Cell and applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA (CVSS Score: 9.1)

    These vulnerabilities could lead to unauthorized escalation of privileges, posing a significant threat to system security and data integrity.

  2. BC-SRV-AIF [CVE-2024-21737]: Code Injection vulnerability in SAP Application Interface Framework (File Adapter) (CVSS Score: 8.4)

    This issue allows attackers to inject malicious code, potentially compromising the confidentiality, integrity, and availability of the system.

  3. BC-FES-CTL [CVE-2024-22125]: Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) (CVSS Score: 7.4)

    This vulnerability could lead to unauthorized disclosure of sensitive information, impacting the confidentiality of data processed through the SAP GUI connector for Microsoft Edge.

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.