Skip to content

SAP Security Patch Day – July 2024

ebde76d0d55c1a42c8ff2d0159c52217?s=96&d=mm&r=g
Gert-Jan Koster
SAP Security specialist
July 9, 2024
5 min read
Chapters

Share Article

SAP Security Patch Tuesday 2024

We’ve entered the second half of 2024, marking the arrival of the SAP Security Patch Day for July. As always on the second Tuesday of the month, SAP issued a series of security patches, comprising a collection of 18 notes since the June release. Unpatched systems present significant risks when defending against threats. Many times, data breaches and other cyber attacks can occur because of missing patches. In essence, the importance of patching is well understood. However, it is a process that requires unwavering attention and proves to be complicated to execute consistently.

At SecurityBridge, we highly value the importance of patch management and recognize the complexity for organizations to manage it effectively. The SecurityBridge Patch Management solution greatly helps create insight into missing patches across an SAP landscape, including impact assessment of specific patches even before implementation. By presenting the status in a comprehensive and landscape-wide overview, this solution is an essential toolkit to strengthen the security posture of an SAP landscape.

SAP Security Patches July 2024

For July 2024, 16 new Security Notes have been released and 2 have been updated. As shown in the summary below there are no HotNews notes and only 2 have priority ‘High’. Although this means there are no very critical patches to look after, the other notes require due attention. Reviewing the security notes, most of them ‘simply’ means applying the relevant patches and possible manual corrections.

We will highlight some points of attention below.

  • Note 3490515: This describes a vulnerability in the ‘early login and registration’ feature of SAP Commerce. Note that SAP Commerce comes in a public and on-premise variant that requires different steps to remediate. Also, note the workaround as a temporary fix.

  • Note 3459379: This note was updated at the end of June with changed correction instructions. If relevant, make sure to double-check.

  • Note 3461110: the vulnerability described here concerns the SAP GUI for Windows. A component still very much used within organizations. The described issue can only occur when the user’s workstation is largely compromised. Still, it underlines the weakness of passwords in general and the added value of a secure alternative solution, like single-sign-on. 

  • Note 3476348 and 3476340 both describe vulnerabilities with SAP Enable Now. Also here: note the difference in the cloud and on-premise variant. Depending on the variant, different actions are needed!

Keep a close eye!

Although this article is about patches and patch management, some of these items relate to other security areas too. Like note 3454858 for example. This note concerns possible ‘Information Disclosure’ when using certain function modules in an SAP ABAP system. Fixing the issue by applying the patch is one thing. But what about monitoring the usage of such function modules or other programs? Even if the issue is fixed, it is very valuable to know if and when these modules are used. This is where SecurityBridge Threat Detection comes into play. This way, real-time events can be generated to give actual insight into what happens in your SAP landscape. As for the note mentioned above, usage of the function module can be tracked and immediately investigated further to identify possible exploit attempts. With these insights, you can decisively enhance and fortify your security posture!

SAP Security Notes July 2024

Highlights

A larger list of notes than previous months. No HotNews notes this time and lower criticality overall.

Summary by Severity

The July release contains a total of 18 patches for the following severities:

SeverityNumber
Hot News
0
High
2
Medium
15
Low
1
NoteDescriptionSeverityCVSS
3483344[CVE-2024-39592] Missing Authorization check in SAP PDCE
Priority: Correction with high priority
Released on: 09.07.2024
Components: FIN-BA
Category: Program error
High7.7
3490515[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce
Priority: Correction with high priority
Released on: 09.07.2024
Components: CEC-SCC-COM-BC-CS
Category: Program error
High7.2
3466801[CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management
Priority: Correction with medium priority
Released on: 09.07.2024
Components: BC-VCM-LVM
Category: Program error
Medium6.9
3459379[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)
Priority: Correction with medium priority
Released on: 11.06.2024
Components: CA-GTF-DOB
Category: Program error
Medium6.5
3468681[CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor
Priority: Correction with medium priority
Released on: 09.07.2024
Components: EP-PIN-WPC-WCM
Category: Program error
Medium6.1
3482217[CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation
Priority: Correction with medium priority
Released on: 09.07.2024
Components: BW-PLA-BPS
Category: Program error
Medium6.1
3467377[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 09.07.2024
Components: CA-WUI-UI
Category: Program error
Medium6.1
3457354[CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)
Priority: Correction with medium priority
Released on: 09.07.2024
Components: FIN-FSCM-PF-IHB
Category: Program error
Medium5.4
3483993[CVE-2024-34689] Prerequisite for Security Note 3458789
Priority: Correction with medium priority
Released on: 09.07.2024
Components: BC-BMT-WFM
Category: Program error
Medium5.0
3485805[CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services)
Priority: Correction with medium priority
Released on: 09.07.2024
Components: BC-BMT-WFM
Category: Upgrade information
Medium5.0
3469958[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)
Priority: Correction with medium priority
Released on: 09.07.2024
Components: TM-CP
Category: Program error
Medium5.0
3461110[CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows
Priority: Correction with medium priority
Released on: 09.07.2024
Components: BC-FES-GUI
Category: Program error
Medium5.0
3458789[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)
Priority: Correction with medium priority
Released on: 09.07.2024
Components: BC-BMT-WFM
Category: Program error
Medium5.0
3456952[CVE-2024-39599] Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 09.07.2024
Components: BC-MID-ICF
Category: Program error
Medium4.7
3476348[CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable Now
Priority: Correction with medium priority
Released on: 09.07.2024
Components: KM-SEN-MGR
Category: Upgrade information
Medium4.3
3101986Prepare CSP support for On-Premise down port for code dependency in SAP CRM WebClient UI
Priority: Correction with medium priority
Released on: 12.04.2022
Components: CA-WUI-UI
Category: Program error
Medium4.1
3454858[CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 09.07.2024
Components: BC-SRV-DX-DXW
Category: Program error
Medium4.1
3476340[CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now
Priority: Correction with low priority
Released on: 09.07.2024
Components: KM-SEN-MGR
Category: Upgrade information
Low3.3