Skip to content

SAP Security Patch Day – November 2024

ebde76d0d55c1a42c8ff2d0159c52217?s=96&d=mm&r=g
Gert-Jan Koster
SAP Security specialist
November 12, 2024
5 min read

Chapters

Share Article

SAP Security Patch Tuesday 2024

Another month has passed and before you know it, it is Patch Tuesday again! SAP has released its latest round of security notes and this time we have a modest number of 10 security notes that we will further highlight below. As always, this modest number is no reason to take patch management a bit more lightly. A close review is always necessary to make sure your SAP landscape is safe.

At SecurityBridge, we highly value the importance of patch management and recognize the complexity for organizations to manage it effectively. The SecurityBridge Patch Management solution greatly helps to create insight into missing patches across an SAP landscape, including impact assessment of specific patches even before implementation. By presenting the status in a comprehensive and landscape-wide overview, this solution is an essential toolkit to strengthen the security posture of an SAP landscape.


Security notes - November 2024

In this release, 8 security notes have been newly released and 2 have been updated. Interestingly, none of these have the highest priority ‘HotNews’. Let’s look at some highlights below.

Non-critical components?

When securing an SAP landscape, it is logical to first focus on the main applications. This makes sense because that’s where most of the work is done and where the data is stored and processed. Many security notes concern these main applications, like the various modules of SAP S/4 HANA, ECC etc. From a security perspective though, it is vital to realize that many other tools, agents etc., exist in a landscape that can be exploited if these are not properly maintained! It is easy to overlook these components and that’s why we give these a bit more attention in this month’s blog.

SAP Web Dispatcher

We have written about the SAP Web Dispatcher many times before, but it still is a component that can be easily overlooked. Normal end users certainly won’t realize it is there. Technical administrators should know about it of course. But in more complex landscape architectures, even seasoned technical administrators require good insight to identify connectivity flows and the role that Web Dispatcher installations play. A Web Dispatcher can also run in different modes, that is: as a standalone installation or as an embedded process within an ABAP or Java system. That may make insight even more complicated.

Security note 3520281 has the highest CVSS rating this month (8.8) and describes how a Cross-Site Scripting vulnerability (XSS) can be used to fully compromise the underlying system. Interestingly, this only concerns situations where users logon to the Web Dispatchers UI with the ‘admin’ role. The note describes various workarounds but it is of course highly recommended to apply the released patches!

Security note 3508947 describes how the use of SAP GUI for HTML can lead to access to files that should be restricted. Although the patch itself is for the SAP ABAP backend, this vulnerability is only relevant when proxy servers are used, like an SAP Web Dispatcher (or another proxy server). This is a clear example of how security concerns more than only the main component.

SAP Host agent

The next example regards the SAP Host agent, a component that is probably only known by technical administrators. A rather small component that is installed out-of-the-box together with the installation of many SAP products and that is used for ‘life-cycle’ tasks, mainly monitoring. Security note 3509619 describes how this agent can be used to manipulate system files with great potential impact.

SAP Software Update Manager (SUM)

The Software Update Manager (SUM) is a tool that is used for tasks like the installation and upgrade of components in an SAP landscape. It is – again – a tool that is mainly known and used by technical administrators. Security note 3522953 describes how the SUM can write credentials (username / password combinations) unencrypted to log files on the OS level, allowing unauthorized access to the system.

The above are just a sub-set of examples based on this month’s release. Each month we see security notes like these that concern components that are beyond the ‘standard’ scope of the main technology stacks. Be aware!

The other notes we have not yet mentioned concern mainly the ‘standard’ corrections for applying patches to the relevant component. For the complete overview, see below.

SAP Security Notes November 2024

Highlights

A relatively low number of SAP Security Notes this month, with 8 new and 2 updated notes. No notes with priority 'HotNews', mainly for on-premise SAP products.

Summary by Severity

The November release contains a total of 10 patches for the following severities:

SeverityNumber
Hot News
0
High
2
Medium
6
Low
2
NoteDescriptionSeverityCVSS
3520281[CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher
Priority: Correction with high priority
Released on: 12.11.2024
Components: BC-CST-WDP
Category: Program error
High8.8
3483344[CVE-2024-39592] Missing Authorization check in SAP PDCE
Priority: Correction with high priority
Released on: 09.07.2024
Components: FIN-BA
Category: Program error
High7.7
3335394[CVE-2024-42372] Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory)
Priority: Correction with medium priority
Released on: 12.11.2024
Components: BC-CCM-SLD
Category: Program error
Medium6.5
3509619[CVE-2024-47595] Local Privilege Escalation in SAP Host Agent
Priority: Correction with medium priority
Released on: 12.11.2024
Components: BC-CCM-HAG
Category: Program error
Medium6.3
3504390[CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 12.11.2024
Components: BC-ABA-LA
Category: Program error
Medium5.3
3393899[CVE-2024-47592] Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application)
Priority: Correction with medium priority
Released on: 12.11.2024
Components: BC-JAS-SEC
Category: Program error
Medium5.3
3522953[CVE-2024-47588] Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager)
Priority: Correction with medium priority
Released on: 12.11.2024
Components: BC-UPG-TLS-TLJ
Category: Program error
Medium4.7
3508947[CVE-2024-47593] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 12.11.2024
Components: BC-FES-WGU
Category: Program error
Medium4.3
3498470[CVE-2024-47587] Missing authorization check in SAP Cash Management (Cash Operations)
Priority: Correction with low priority
Released on: 12.11.2024
Components: FIN-FSCM-CLM-COP
Category: Program error
Low3.5
3392049[CVE-2024-33000] Missing Authorization check in SAP Bank Account Management
Priority: Correction with low priority
Released on: 14.05.2024
Components: FIN-FSCM-CLM-BAM
Category: Program error
Low3.5