SAP has released security updates for three high-severity vulnerabilities in different products, including what it describes as a security misconfiguration flaw in SAP NetWeaver, which serves as the technical foundation for many SAP apps.
The issue (CVE-2024-27899) stems from password requirements not being checked in some features of SAP’s NetWeaver Application Server Java User Management Engine. Specifically, the “self-registration” and “modify your own profile" features don’t check that the existing password requirements are being met, which could potentially allow users to create simple passwords that can easily be cracked. These two features are optional and disabled by default, but customers can enable and configure them, said researchers with Onapsis in an analysis of the new SAP flaws.
“Onapsis recommends implementing the note independently of whether one or both features are enabled or not,” according to Thomas Fritsch with Onapsis in a Tuesday analysis. “This ensures security once you decide to enable one of the features. Keeping the vulnerability unpatched can lead to high impact on the system’s confidentiality and low impact on integrity and availability.”
The flaw has a CVSS score of 8.8 out of 10 and impacts SAP NetWeaver AS versions SERVERCORE 7.50, J2EE-APPS 7.50 and UMEADMIN 7.50.
SAP also disclosed an information disclosure flaw in its SAP BusinessObjects Web Intelligence tools, its suite of applications enabling businesses to view and analyze data. Specifically, versions 4.2 and 4.3 of the product’s Excel Data Access Service do not carry out the correct validation checks when excel files are uploaded, which could result in potentially malicious data being read.
“Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document,” according to the flaw’s CVE record. “On successful exploitation there could be a considerable impact on confidentiality of the application.”
Finally, SAP reported a high-severity directory traversal bug in several versions of its Asset Accounting tool (CVE-2024-27901), which could allow attackers with high privileges to exploit insufficient validation of path information provided by the users and pass it through to the file APIs. Beyond these three high-severity flaws, SAP also disclosed seven medium-severity flaws and published updates for two previously disclosed medium-severity vulnerabilities (CVE-2022-29613 and CVE-2023-40306).
“SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape,” according to SAP in its Tuesday security advisory. “On 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 2 updates to previously released Security Notes.”