Advisory
SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3478615
was released on
08.10.2024 and deals with
"[CVE-2024-37179] Insecure File Operations vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)" within SAP BusinessObjects Business Intelligence Platform.
We advice you to follow the instructions, to resolve
insecure file operations vulnerability
with a
high potential for exploitation
in component BI-RA-WBI-BE.
According to SAP Security Advisory team a workaround exists. It is advisable to implement the correction as implement patch.
Risk specification
The personal data provider feature did not have any restriction on the directories from which data was fetched.Solution
After the patch is installed, to restrict access to personal data providers, create a file PersonalFile_AllowList.txt in folder : Windows: $InstallDir\SAP BusinessObjects Enterprise XI 4.0\win64_x64\config Linux: $InstallDir/sap_bobj/enterprise_xi40/linux_x64/config The file must contain the list of folders that can contain personal data providers. There must be one folder per line. For Business Intelligence Platform maintenance schedule and strategy see the Knowledge Base Article 2144559 in References section This issue is fixed in the patches listed in the “Support Packages & Patches”. Alternativly, the consulting team has proposed the following: "No workaround available". The suggestion may be considered, as a workaround or compensating mitigation. We recommend installing/applying the correction wherever possible and as soon as possible. Base your decision on whether or not to apply the patch on your companies and systems risk perspective and consider the provided CVSS 7.7 score.
The advisory is valid for
- ENTERPRISE 420
- ENTERPRISE 430
- ENTERPRISE 2025
- ENTERPRISECLIENTTOOLS 420 3
- ENTERPRISECLIENTTOOLS 430 4
- ENTERPRISECLIENTTOOLS 2025
