SAP Security Patch Day – September 2024
Chapters
Share Article
What is the most important day of the month for a SAP security professional? Arguably, it is SAP Security Patch Day! You know, that infamous second Tuesday of the month when SAP releases its latest run of SAP security patches. For many, it marks the start of a lengthy manual analysis and implementation of changes in the SAP landscape. All to make sure that all vulnerabilities are mitigated as soon as possible. And rightly so! Patch management is of the utmost importance to prevent cyber attacks that can exploit known security issues and cause serious damage.
At SecurityBridge, we are all too familiar with the challenges that come with patch management. As easy as it may sound, in an SAP landscape, it is not. Time and time again, it proves to be a complex process that requires meticulous research and serious efforts to get it right. The SecurityBridge Patch Management solution greatly helps to create insight into missing patches across an SAP landscape and provides essential functionalities to handle patch management effectively, like automatic implementation and impact analysis.
SAP Security Patches September 2024
For this month, we see 16 new Security Notes and 3 that have been updated. See below for the highlights.
Updated security notes
HotNews note 3479478 was first released last month in August and got some important updates:
- The vulnerability is only valid for web application servers where biprws is deployed but also valid for version 420 of the Business Objects platform.
- There is a workaround available now to temporarily fix the issue. Of course: it is recommended to apply the relevant patches.
Take note of above changes if applicable, this vulnerability gives way to a complete compromise of your system (CVSS 9.8)!
For note 3459935 (CVSS 7.4), only the solution information has been updated. In short: you’ll need 2211.28 instead of 2211.27 to fix the issue on SAP Commerce Cloud. A small, but important update if you think you’re safe with the previous version…
The update for note 3495876 (CVSS 6.5) is actually quite minimal and only refers to an additional cleanup of files after patching, see the note for more information.
New security notes
Many of the newly released notes are quite straightforward and simply require customers to apply the update where applicable. Some highlights are:
- Note 3430336 describes a vulnerability for the BREACH attack. Consider the patches mentioned in the note AND implement the XorCsrfTokenRequestAttributeHandler token for custom web applications.
- Note 3488039 is about multiple vulnerabilities in the SAP_BASIS layer with a medium category: CVSS 4.3-5.4. Note there is a workaround as well by adapting object S_RFC.
SAP Security Notes September 2024
Highlights
Many 'Medium' to 'Low' priority notes. Make sure to review the updated notes with 'High' and 'HotNews' priority to ensure systems are still safe.
Summary by Severity
The September release contains a total of 19 patches for the following severities:
| Severity | Number | Hot News | 1 |
|---|---|
High | 1 |
Medium | 14 |
Low | 3 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3479478 | [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform Priority: HotNews Released on: 13.08.2024 Components: BI-BIP-INV Category: Program error | Hot News | 9.8 |
| 3459935 | [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud Priority: Correction with high priority Released on: 13.08.2024 Components: CEC-COM-CPS-COR Category: Program error | High | 7.4 |
| 3495876 | [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) Priority: Correction with medium priority Released on: 13.08.2024 Components: BC-SYB-REP Category: Program error | Medium | 6.5 |
| 3488341 | [CVE-2024-45286] Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface) Priority: Correction with medium priority Released on: 10.09.2024 Components: IS-OIL-PRA-REV-OW Category: Program error | Medium | 6.5 |
| 3501359 | [CVE-2024-45279] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP(CRM Blueprint Application Builder Panel) Priority: Correction with medium priority Released on: 10.09.2024 Components: CA-GTF-PCF Category: Program error | Medium | 6.1 |
| 3497347 | [CVE-2024-42378] Cross-Site Scripting (XSS) in eProcurement on S/4HANA Priority: Correction with medium priority Released on: 10.09.2024 Components: MM-PUR-SSP Category: Program error | Medium | 6.1 |
| 3477359 | [CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service) Priority: Correction with medium priority Released on: 10.09.2024 Components: BC-JAS-SEC-DST Category: Program error | Medium | 6.0 |
| 3430336 | [CVE-2013-3587] Information Disclosure vulnerability in SAP Commerce Cloud Priority: Correction with medium priority Released on: 10.09.2024 Components: CEC-SCC-PLA-PL Category: Program error | Medium | 5.9 |
| 3425287 | [CVE-2024-45281] DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 10.09.2024 Components: BI-RA-WBI-BE Category: Program error | Medium | 5.8 |
| 3488039 | [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 10.09.2024 Components: BC-DWB-SEM Category: Program error | Medium | 5.4 |
| 3505503 | [CVE-2024-45280] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application) Priority: Correction with medium priority Released on: 10.09.2024 Components: BC-JAS-SEC-LGN Category: Program error | Medium | 4.8 |
| 3498221 | [CVE-2024-44120] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 10.09.2024 Components: BC-PIN-PCD Category: Program error | Medium | 4.7 |
| 3481588 | [CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer) Priority: Correction with medium priority Released on: 10.09.2024 Components: BW-BEX-ET-WB-7X Category: Program error | Medium | 4.3 |
| 3505293 | [CVE-2024-44112] Missing Authorization check in SAP for Oil & Gas (Transportation and Distribution) Priority: Correction with medium priority Released on: 10.09.2024 Components: IS-OIL-DS-TD Category: Program error | Medium | 4.3 |
| 3437585 | [CVE-2024-44121] Information Disclosure in SAP S/4 HANA (Statutory Reports) Priority: Correction with medium priority Released on: 27.08.2024 Components: FI-LOC-SRF-RUN Category: Program error | Medium | 4.3 |
| 3481992 | [CVE-2024-44113] Information Disclosure vulnerability in the SAP Business Warehouse (BEx Analyzer) Priority: Correction with medium priority Released on: 10.09.2024 Components: BW-BEX-ET-WB-7X Category: Program error | Medium | 4.3 |
| 2256627 | [CVE-2024-45284] Missing authorization check in SAP Student Life Cycle Management (SLcM) Priority: Correction with low priority Released on: 10.09.2024 Components: IS-HER-CM Category: Program error | Low | 2.7 |
| 3496410 | [CVE-2024-41728] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with low priority Released on: 10.09.2024 Components: BC-DWB-TOO-ABA Category: Program error | Low | 2.7 |
| 3507252 | [CVE-2024-44114] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with low priority Released on: 10.09.2024 Components: BC-ABA-LA Category: Program error | Low | 2.0 |
