BusinessObjects Board

[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform

SAP has released a notice regarding a potential security issue.

3479478 - [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform ( :lock: SAP site login required).

Public link: CVE-2024-41730

This issue is related to configuring Enterprise authentication for Single Sign-on. Currently there is no workaround and the only solution is to upgrade to BI4.3sp4 patch 6, BI4.3sp5, or BI 2025.

We don’t use Enterprise authentication for our primary user security so I haven’t done much with Enterprise authentication. I was unaware that it could be configured for single sign-on. I’m not sure what the configuration is. I’m assuming at this point that this doesn’t apply to our installation.

Update: After looking through the Administrator’s Guide, it looks like this may be related to SAML integration. It still isn’t real clear on exactly what this is.

2 Likes

I’ve asked SAP support for clarification on this issue as the documentation is rather vague

1 Like

You may be wondering how you can find out about this potential security issue. I check this page on the second Tuesday of each month (SAP Security Patch Day) and click the link for the current month and see what applies to our installation since more than just BusinessObjects related issues are on that list.

In the KBA/Note link @JohnBClark provided there is another KBA/Note referenced…

In case of any queries please refer to this FAQ document 3505145.

Some of the key FAQs…

  • Which customers are affected?
    Customers who enable Trusted Authentication (such as for SAML, trustedVintela, QUERY_STRING, or HTTP_HEADER etc) workflows, are affected

  • How can I determine if I’m using trusted authentication?
    Trusted Authentication can be validated in CMC → Authentication → Enterprise → Trusted Authentication
    If ‘Trusted Authentication is enabled’ is checked - then the system is impacted.

The second one tells me my systems are not impacted by this issue since we do not have ‘Trusted Authentication is enabled’ checked.

Noel

3 Likes