Skip to content

SAP Security Patch Day – March 2024

Gert-Jan Koster
SAP Security specialist
March 12, 2024
5 min read
Chapters

Share Article

SAP Security Patch Tuesday 2024

We find ourselves already at the doorstep of the third SAP Security Patch Day of the year! Once again, SAP has rolled out a batch of security patches, and as always, we’re here to delve into the highlights. It’s a common narrative in today’s digital landscape – headlines with tales of data breaches, ransomware attacks, and other cyber assaults that put organizations at risk. More often than not, the common thread linking these incidents is the presence of unpatched systems, serving as the Achilles’ heel in the defense against such threats.

These recurring headlines serve as a reminder of the imperative nature of patch management in IT security. It’s a task that organizations cannot afford to delay or ignore. The negative repercussions of neglecting this vital aspect of security infrastructure are abundantly clear, demonstrated time and again by dramatic real-world examples.

At SecurityBridge, we highly value the critical role of patch management and understand the intricate challenges it poses for organizations. Our Patch Management solution acts as a guiding light in this matter, offering invaluable insights into the patching gaps prevalent across SAP landscapes. Moreover, it enables organizations to assess the potential impact of specific patches, even before their deployment, presenting a comprehensive, landscape-wide overview of the patching status.

SAP Security Patches March 2024

For March 2024, 10 new Security Notes have been released and 2 have been updated. Let’s look at some highlights, starting with the ‘HotNews’ notes.

HotNews

This month concerns 2 new HotNews notes. Note 2622660 has been updated for Google Chromium and SAP Business Client. This note gets updated regularly and this time it concerns an update with CVSS 9.8 for which public exploits are available. Review closely when applicable for your landscape! 

Note 3425274 is newly released and describes a vulnerability when using the SAP Build platform. Interestingly, the actual vulnerability dates back to 2019… Make sure to rebuild your apps with version 4.9.145 or higher as stated by the note! Related CVSS is 9.4.

A common component of an SAP Java system is the ‘Log Viewer’ for reviewing logs and further analysis. Many administrators will know this functionality. What is perhaps less known, is that a custom log file can also be uploaded to the application. Note 3433192 describes a vulnerability that is caused by improper validation of these files, which could have a severe impact on the confidentiality, integrity, and availability of the application (CVSS 9.1). Make sure to apply the relevant patches or the mentioned workaround!

CVE-2023-44487 – HTTP/2 Rapid Reset Attack

Now and then, a vulnerability comes to light that has a potential impact on many components. The same goes for the so-called ‘HTTP/2 Rapid Reset Attack’ cataloged under ‘CVE-2023-44487’. Those who keep a close eye on vulnerabilities and SAP Security patches in particular, may have noticed this vulnerability from 2023 and January earlier this year. See SAP notes 3390068 and 3389917. Exploitation may lead to a denial of service of the component concerned. The Internet Communication Manager (ICM) and SAP Web Dispatcher are examples of affected SAP components. Solutions that use these components may also impacted, like SAP HANA XS Classic and Advanced. SAP note 3410615 has been released this month to address these products specifically for this vulnerability. 

Security notes with ‘High’ to ‘Medium’ priority

Most vulnerabilities only require patching of the concerned software component. Below we share some additional remarks concerning the other released security notes for February 2024:

  • Note 3346500: this note has been re-released with new patch information, review when using SAP Commerce Cloud.
  • Note 3410615: as stated above, this note concerns the SAP Web Dispatcher but to patch this, patches for the SAP HANA XS Classic or Advanced need to be applied.

SAP Security Notes March 2024

Highlights

For March 2024, 10 new Security Notes have been released and 2 have been updated.

Summary by Severity

The March release contains a total of 12 patches for the following severities:

SeverityNumber
Hot News
3
High
3
Medium
6
NoteDescriptionSeverityCVSS
2622660Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News10.0
3425274[CVE-2019-10744] Code Injection vulnerability in applications built with SAP Build Apps
Priority: HotNews
Released on: 12.03.2024
Components: CA-LCA-ACP
Category: Program error
Hot News9.4
3433192[CVE-2024-22127] Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in)
Priority: HotNews
Released on: 12.03.2024
Components: BC-JAS-ADM-LOG
Category: Program error
Hot News9.1
3346500[CVE-2023-39439] Improper authentication in SAP Commerce Cloud
Priority: Correction with high priority
Released on: 08.08.2023
Components: CEC-SCC-PLA-PL
Category: Program error
High8.8
3410615[CVE-2023-44487 ] Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced
Priority: Correction with high priority
Released on: 12.03.2024
Components: HAN-AS-XS
Category: Program error
High7.5
3414195[CVE-2023-50164] Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console)
Priority: Correction with high priority
Released on: 12.03.2024
Components: BI-BIP-CMC
Category: Program error
High7.2
3377979[CVE-2024-27902] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP, applications based on SAPGUI for HTML (WebGUI)
Priority: Correction with medium priority
Released on: 12.03.2024
Components: BC-FES-WGU
Category: Program error
Medium5.4
3434192[CVE-2024-28163] Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages)
Priority: Correction with medium priority
Released on: 12.03.2024
Components: BC-XI-IBF-UI
Category: Program error
Medium5.3
3425682[CVE-2024-25644] Information Disclosure vulnerability in SAP NetWeaver (WSRM)
Priority: Correction with medium priority
Released on: 12.03.2024
Components: BC-ESI-WS-JAV-RT
Category: Program error
Medium5.3
3428847[CVE-2024-25645] Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal)
Priority: Correction with medium priority
Released on: 12.03.2024
Components: EP-PIN-APF-OPR
Category: Program error
Medium5.3
3417399[CVE-2024-22133] Improper Access Control in SAP Fiori Front End Server
Priority: Correction with medium priority
Released on: 12.03.2024
Components: PA-FIO-LEA
Category: Program error
Medium4.6
3419022[CVE-2024-27900]Missing Authorization check in SAP ABAP Platform
Priority: Correction with medium priority
Released on: 12.03.2024
Components: BC-SRV-APS-APJ
Category: Program error
Medium4.3