SAP Security Patch Day – August 2024
Chapters
Share Article
And here we are again! SAP Security Patch Day for August has arrived! As always on the second Tuesday of the month, SAP issued a series of security patches, comprising a collection of 19 notes since the July release. Unpatched systems present significant risks when defending against threats. Many times, data breaches and other cyber attacks can occur because of missing patches. In essence, the importance of patching is well understood. However, it is a process that requires unwavering attention and sometimes proves to be complicated to execute consistently.
At SecurityBridge, we highly value the importance of patch management and recognize the complexity for organizations to manage it effectively. The SecurityBridge Patch Management solution greatly helps create insight into missing patches across an SAP landscape, including impact assessment of specific patches even before implementation. By presenting the status in a comprehensive and landscape-wide overview, this solution is an essential toolkit to strengthen the security posture of an SAP landscape.
SAP Security Patches August 2024
For August 2024, 16 new Security Notes have been released and 3 have been updated. As shown in the summary below there are 2 HotNews notes and only 2 have priority ‘High’. Reviewing the security notes, most of them ‘simply’ means applying the relevant patches and possible manual corrections.
We will highlight some points of attention below.
- Note 3477196: This note describes that apps built with SAP Build Apps might be vulnerable to CVE-2024-29415 due to the use of the older version of Nodejs library. This is a vulnerability in a 3rd party library and poses a high risk to confidentiality and integrity, though availability is unaffected. A fix is to redeploy the apps from a fixed version.
- Note 3479478: This note describes a situation in the SAP BusinessObjects Business Intelligence Platform, where if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system by doing so. Implementing the patches mentioned in the note resolves the issue.
- Note 3485284: BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application and can be fixed by implementing the Support Package referenced in the note.
Keep a close eye!
Although this article is about patches and patch management, some of these items relate to other security areas too. Like note 3454858 for example. This note concerns possible ‘Information Disclosure’ in SAP systems. Under certain conditions an attacker can access a remote-enabled function module with no further authorization which would otherwise be restricted, the function can be used to read non-sensitive information. Fixing the issue by applying the patch is one thing. But what about monitoring the usage of these function modules? Even if the issue is fixed, it is very valuable to know if and when these function modules were called. This is where SecurityBridge Threat Detection comes into play. This way, real-time events can be generated to give actual insight into what happens in your SAP landscape. The usage of function modules in the SAP system can be tracked and immediately investigated further to identify possible abuse. With these insights, you can decisively enhance and fortify your security posture!
SAP Security Notes August 2024
Highlights
A larger list of notes than in previous months. 2 HotNews notes this time and lower criticality overall.
Summary by Severity
The July release contains a total of 19 patches for the following severities:
| Severity | Number |
|---|---|
| HotNews | 2 |
| High | 2 |
| Medium | 15 |
Note | Description | Severity | CVSS |
[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform | HotNews | 9.8 | |
[CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps | HotNews | 9.1 | |
[CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service | High | 8.2 | |
[CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud | High | 7.4 | |
[CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework | Medium | 6.5 | |
[Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) | Medium | 6.5 | |
[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) | Medium | 6.5 | |
[CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java),SAP Web Dispatcher and SAP Content Server. | Medium | 6.3 | |
[CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice | Medium | 5.4 | |
[CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce | Medium | 5.3 | |
[CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) | Medium | 5.0 | |
[CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP | Medium | 4.7 | |
[CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) | Medium | 4.5 | |
[CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform | Medium | 4.3 | |
[CVE-2024-39591] Missing Authorization check in SAP Document Builder | Medium | 4.3 | |
[CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) | Medium | 4.3 | |
[CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work | Medium | 4.3 | |
[CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform | Medium | 4.3 | |
[CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | Medium | 4.1 |
