Skip to content

SAP Security Patch Day – June 2024

Gert-Jan Koster
SAP Security specialist
June 11, 2024
6 min read
Chapters

Share Article

SAP Security Patch Tuesday 2024

As we approach the sixth SAP Security Patch Day of the year, upholding robust security measures remains paramount. Once again, SAP has issued a series of security patches, this time the update comprises a moderate collection of 12 notes. In today’s digital landscape, it’s a narrative that rings all too familiar – headlines saturated with reports of data breaches, ransomware attacks, and other cyber threats that cast a shadow over organizations. Frequently, these incidents share a common vulnerability: unpatched systems, which serve as a significant vulnerability in the defense against such threats.

These recurring headlines underscore the essential nature of patch management in IT security. It’s a responsibility that organizations cannot afford to overlook or postpone. The repercussions of neglecting this vital security infrastructure component are apparent from numerous high-profile real-world examples.

At SecurityBridge, we recognize the critical importance of patch management and the obstacles it presents for organizations. That’s why our Patch Management solution is crafted to provide assistance, furnishing invaluable insights into existing patching gaps within SAP landscapes. Moreover, it empowers organizations to proactively evaluate the potential impacts of specific patches, offering a comprehensive overview of patching status across the entire landscape, even before implementation.

SAP Security Patches June 2024

For June 2024, 10 new Security Notes have been released and 2 have been updated at the end of May. That is a moderate list and interestingly, there are no HotNews updates this time either. That’s no reason to take this month’s release lightly though. 

Reviewing the security notes, we see vulnerabilities in the area of Cross-Site Scripting (XSS), Denial-Of-Service, malicious file uploads, Information Disclosure, and missing authorization checks. We have seen all these ‘usual suspects’ coming by in the (recent) past and they will sure keep coming in the future. Let’s further explore the notes from the perspective of these categories.

Cross-Site Scripting (XSS)

In this release, 3 notes address Cross-Site Scripting vulnerabilities, ranging from CVSS 6.1 to 8.1. XSS attacks are a type of attack where malicious scripts are injected that compromise the interaction between users and a web application.

  • Note 3457592: describes 2 issues within SAP Financial Consolidation: CVE-2024-37177 and CVE-2024-37178.
  • Note 3465129: describes an issue with WebClient UI of SAP CRM: CVE-2024-34686.
  • Note 3450286: this is a known security note from the previous release of May concerning CVE-2024-32733. This time, only the validity information has been changed so make sure to double-check its relevance for your landscape.

For all the above notes, patching is required, there is no workaround available.

Denial-of-Service (DoS)

A Denial-of-Service (DoS) attack attempts to achieve quite exactly what the name indicates: to make the target incapable of delivering its service. In other words: try to overload so it is no longer available.

  • Note 3460407: describes a DoS vulnerability on SAP AS Java: CVE-2024-34688.
  • Note 3453170: describes a DoS vulnerability on SAP NetWeaver and ABAP platform: CVE-2024-33001. This issue can only appear when there are no authorization checks for RFC’s are disabled. Consider the workaround from the note as a temporary solution.

Unrestricted file uploads

We have seen multiple vulnerabilities in this area recently. Secure handling of files remains an important topic from a security point of view. This time, note 3459379 describes such a potential issue with the SAP Document Builder service: CVE-2024-34683. Patch your system to fix this issue permanently or consider creating a virus profile yourself for the relevant MIME types as a workaround. See the note for more details on this.

Authorization checks

Missing authorization checks are – again – a common vulnerability type of which we have seen multiple examples recently. This month, we see 4 notes in this area, ranging from a CVSS 3.9 to 6.5:

  • Note 3466175: missing authorization check in S/4 HANA for incoming payment files: CVE-2024-34691.
  • Note 3465455: missing authorization check in SAP BW/4HANA Transformation and DTP: CVE-2024-37176. Keep in mind the restriction after applying the note and the manual instruction required.
  • Note 3457265: missing authorization check in SAP Student Life Cycle Management (SLcM): CVE-2024-34690.
  • Note 2638217: this note already originated in 2018 and has now been updated with new correction instructions. It describes the switchable authorization checks for Central Finance. Take note of the checks mentioned here and double-check relevance for your SAP landscape. See also note 2608312.

Information Disclosure

Last but not least, we see 2 notes in the area of Information Disclosure, which is about unwanted access to sensitive data in the broad sense of the word.

  • Note 3425571: describes potential access to server information on SAP AS Java: CVE-2024-28164. Apart from patching, there is a workaround available -see the note for the details.
  • Note 3441817: describes how an authenticated attacker can gain user credentials allowing access to remote server files: CVE-2024-34684. Patching of the system is required.

SAP Security Notes June 2024

Highlights

A moderate list of security notes without HotNews.

Summary by Severity

The June release contains a total of 12 patches for the following severities:

SeverityNumber
Hot News
0
High
2
Medium
8
Low
2
NoteDescriptionSeverityCVSS
3457592[CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation
Priority: Correction with high priority
Released on: 11.06.2024
Components: EPM-BFC-TCL
Category: Program error
High8.1
3460407[CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)
Priority: Correction with high priority
Released on: 11.06.2024
Components: BC-DWB-JAV-MMR
Category: Program error
High7.5
3459379[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)
Priority: Correction with medium priority
Released on: 11.06.2024
Components: CA-GTF-DOB
Category: Program error
Medium6.5
3453170[CVE-2024-33001] Denial of service (DOS) in SAP NetWeaver and ABAP platform
Priority: Correction with medium priority
Released on: 11.06.2024
Components: SV-SMG-SDD
Category: Program error
Medium6.5
3466175[CVE-2024-34691] Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)
Priority: Correction with medium priority
Released on: 11.06.2024
Components: FI-FIO-AR-PAY
Category: Program error
Medium6.5
3465129[CVE-2024-34686] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 11.06.2024
Components: CA-WUI-UI
Category: Program error
Medium6.1
3450286[CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.05.2024
Components: BC-MID-AC
Category: Program error
Medium6.1
3465455[CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP
Priority: Correction with medium priority
Released on: 11.06.2024
Components: BW4-DM-TRFN
Category: Program error
Medium5.5
3457265[CVE-2024-34690] Missing Authorization check in SAP Student Life Cycle Management (SLcM)
Priority: Correction with medium priority
Released on: 11.06.2024
Components: IS-HER-CM-AD
Category: Program error
Medium5.4
3425571[CVE-2024-28164] Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures)
Priority: Correction with medium priority
Released on: 11.06.2024
Components: BC-GP
Category: Program error
Medium5.3
2638217Switchable Authorization Checks in Central Finance Infrastructure Components
Priority: Correction with low priority
Released on: 13.06.2018
Components: FI-CF-INF
Category: Program error
Low3.9
3441817[CVE-2024-34684] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)
Priority: Correction with low priority
Released on: 11.06.2024
Components: BI-BIP-PUB
Category: Program error
Low3.7