SAP Security Patch Day – November 2024
Chapters
Share Article
Another month has passed and before you know it, it is Patch Tuesday again! SAP has released its latest round of security notes and this time we have a modest number of 10 security notes that we will further highlight below. As always, this modest number is no reason to take patch management a bit more lightly. A close review is always necessary to make sure your SAP landscape is safe.
At SecurityBridge, we highly value the importance of patch management and recognize the complexity for organizations to manage it effectively. The SecurityBridge Patch Management solution greatly helps to create insight into missing patches across an SAP landscape, including impact assessment of specific patches even before implementation. By presenting the status in a comprehensive and landscape-wide overview, this solution is an essential toolkit to strengthen the security posture of an SAP landscape.
Security notes - November 2024
In this release, 8 security notes have been newly released and 2 have been updated. Interestingly, none of these have the highest priority ‘HotNews’. Let’s look at some highlights below.
Non-critical components?
When securing an SAP landscape, it is logical to first focus on the main applications. This makes sense because that’s where most of the work is done and where the data is stored and processed. Many security notes concern these main applications, like the various modules of SAP S/4 HANA, ECC etc. From a security perspective though, it is vital to realize that many other tools, agents etc., exist in a landscape that can be exploited if these are not properly maintained! It is easy to overlook these components and that’s why we give these a bit more attention in this month’s blog.
SAP Web Dispatcher
We have written about the SAP Web Dispatcher many times before, but it still is a component that can be easily overlooked. Normal end users certainly won’t realize it is there. Technical administrators should know about it of course. But in more complex landscape architectures, even seasoned technical administrators require good insight to identify connectivity flows and the role that Web Dispatcher installations play. A Web Dispatcher can also run in different modes, that is: as a standalone installation or as an embedded process within an ABAP or Java system. That may make insight even more complicated.
Security note 3520281 has the highest CVSS rating this month (8.8) and describes how a Cross-Site Scripting vulnerability (XSS) can be used to fully compromise the underlying system. Interestingly, this only concerns situations where users logon to the Web Dispatchers UI with the ‘admin’ role. The note describes various workarounds but it is of course highly recommended to apply the released patches!
Security note 3508947 describes how the use of SAP GUI for HTML can lead to access to files that should be restricted. Although the patch itself is for the SAP ABAP backend, this vulnerability is only relevant when proxy servers are used, like an SAP Web Dispatcher (or another proxy server). This is a clear example of how security concerns more than only the main component.
SAP Host agent
The next example regards the SAP Host agent, a component that is probably only known by technical administrators. A rather small component that is installed out-of-the-box together with the installation of many SAP products and that is used for ‘life-cycle’ tasks, mainly monitoring. Security note 3509619 describes how this agent can be used to manipulate system files with great potential impact.
SAP Software Update Manager (SUM)
The Software Update Manager (SUM) is a tool that is used for tasks like the installation and upgrade of components in an SAP landscape. It is – again – a tool that is mainly known and used by technical administrators. Security note 3522953 describes how the SUM can write credentials (username / password combinations) unencrypted to log files on the OS level, allowing unauthorized access to the system.
The above are just a sub-set of examples based on this month’s release. Each month we see security notes like these that concern components that are beyond the ‘standard’ scope of the main technology stacks. Be aware!
The other notes we have not yet mentioned concern mainly the ‘standard’ corrections for applying patches to the relevant component. For the complete overview, see below.
SAP Security Notes November 2024
Highlights
A relatively low number of SAP Security Notes this month, with 8 new and 2 updated notes. No notes with priority 'HotNews', mainly for on-premise SAP products.
Summary by Severity
The November release contains a total of 10 patches for the following severities:
| Severity | Number | Hot News | 0 |
|---|---|
High | 2 |
Medium | 6 |
Low | 2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3520281 | [CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher Priority: Correction with high priority Released on: 12.11.2024 Components: BC-CST-WDP Category: Program error | High | 8.8 |
| 3483344 | [CVE-2024-39592] Missing Authorization check in SAP PDCE Priority: Correction with high priority Released on: 09.07.2024 Components: FIN-BA Category: Program error | High | 7.7 |
| 3335394 | [CVE-2024-42372] Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory) Priority: Correction with medium priority Released on: 12.11.2024 Components: BC-CCM-SLD Category: Program error | Medium | 6.5 |
| 3509619 | [CVE-2024-47595] Local Privilege Escalation in SAP Host Agent Priority: Correction with medium priority Released on: 12.11.2024 Components: BC-CCM-HAG Category: Program error | Medium | 6.3 |
| 3504390 | [CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 12.11.2024 Components: BC-ABA-LA Category: Program error | Medium | 5.3 |
| 3393899 | [CVE-2024-47592] Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application) Priority: Correction with medium priority Released on: 12.11.2024 Components: BC-JAS-SEC Category: Program error | Medium | 5.3 |
| 3522953 | [CVE-2024-47588] Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager) Priority: Correction with medium priority Released on: 12.11.2024 Components: BC-UPG-TLS-TLJ Category: Program error | Medium | 4.7 |
| 3508947 | [CVE-2024-47593] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 12.11.2024 Components: BC-FES-WGU Category: Program error | Medium | 4.3 |
| 3498470 | [CVE-2024-47587] Missing authorization check in SAP Cash Management (Cash Operations) Priority: Correction with low priority Released on: 12.11.2024 Components: FIN-FSCM-CLM-COP Category: Program error | Low | 3.5 |
| 3392049 | [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management Priority: Correction with low priority Released on: 14.05.2024 Components: FIN-FSCM-CLM-BAM Category: Program error | Low | 3.5 |
