Skip to content

SAP Security Patch Day – September 2024

Gert-Jan Koster
SAP Security specialist
September 10, 2024
5 min read
Chapters

Share Article

SAP Security Patch Tuesday 2024

What is the most important day of the month for a SAP security professional? Arguably, it is SAP Security Patch Day! You know, that infamous second Tuesday of the month when SAP releases its latest run of SAP security patches. For many, it marks the start of a lengthy manual analysis and implementation of changes in the SAP landscape. All to make sure that all vulnerabilities are mitigated as soon as possible. And rightly so! Patch management is of the utmost importance to prevent cyber attacks that can exploit known security issues and cause serious damage.

At SecurityBridge, we are all too familiar with the challenges that come with patch management. As easy as it may sound, in an SAP landscape, it is not. Time and time again, it proves to be a complex process that requires meticulous research and serious efforts to get it right. The SecurityBridge Patch Management solution greatly helps to create insight into missing patches across an SAP landscape and provides essential functionalities to handle patch management effectively, like automatic implementation and impact analysis.

SAP Security Patches September 2024

For this month, we see 16 new Security Notes and 3 that have been updated. See below for the highlights.

Updated security notes

HotNews note 3479478 was first released last month in August and got some important updates:

  • The vulnerability is only valid for web application servers where biprws is deployed but also valid for version 420 of the Business Objects platform.
  • There is a workaround available now to temporarily fix the issue. Of course: it is recommended to apply the relevant patches.

Take note of above changes if applicable, this vulnerability gives way to a complete compromise of your system (CVSS 9.8)!

For note 3459935 (CVSS 7.4), only the solution information has been updated. In short: you’ll need 2211.28 instead of 2211.27 to fix the issue on SAP Commerce Cloud. A small, but important update if you think you’re safe with the previous version…

The update for note 3495876 (CVSS 6.5) is actually quite minimal and only refers to an additional cleanup of files after patching, see the note for more information.

New security notes

Many of the newly released notes are quite straightforward and simply require customers to apply the update where applicable. Some highlights are:

  • Note 3430336 describes a vulnerability for the BREACH attack. Consider the patches mentioned in the note AND implement the XorCsrfTokenRequestAttributeHandler token for custom web applications.
  • Note 3488039 is about multiple vulnerabilities in the SAP_BASIS layer with a medium category: CVSS 4.3-5.4. Note there is a workaround as well by adapting object S_RFC.

SAP Security Notes September 2024

Highlights

Many 'Medium' to 'Low' priority notes. Make sure to review the updated notes with 'High' and 'HotNews' priority to ensure systems are still safe.

Summary by Severity

The September release contains a total of 19 patches for the following severities:

SeverityNumber
Hot News
1
High
1
Medium
14
Low
3
NoteDescriptionSeverityCVSS
3479478[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
Priority: HotNews
Released on: 13.08.2024
Components: BI-BIP-INV
Category: Program error
Hot News9.8
3459935[CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud
Priority: Correction with high priority
Released on: 13.08.2024
Components: CEC-COM-CPS-COR
Category: Program error
High7.4
3495876[Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)
Priority: Correction with medium priority
Released on: 13.08.2024
Components: BC-SYB-REP
Category: Program error
Medium6.5
3488341[CVE-2024-45286] Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface)
Priority: Correction with medium priority
Released on: 10.09.2024
Components: IS-OIL-PRA-REV-OW
Category: Program error
Medium6.5
3501359[CVE-2024-45279] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP(CRM Blueprint Application Builder Panel)
Priority: Correction with medium priority
Released on: 10.09.2024
Components: CA-GTF-PCF
Category: Program error
Medium6.1
3497347[CVE-2024-42378] Cross-Site Scripting (XSS) in eProcurement on S/4HANA
Priority: Correction with medium priority
Released on: 10.09.2024
Components: MM-PUR-SSP
Category: Program error
Medium6.1
3477359[CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service)
Priority: Correction with medium priority
Released on: 10.09.2024
Components: BC-JAS-SEC-DST
Category: Program error
Medium6.0
3430336[CVE-2013-3587] Information Disclosure vulnerability in SAP Commerce Cloud
Priority: Correction with medium priority
Released on: 10.09.2024
Components: CEC-SCC-PLA-PL
Category: Program error
Medium5.9
3425287[CVE-2024-45281] DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform
Priority: Correction with medium priority
Released on: 10.09.2024
Components: BI-RA-WBI-BE
Category: Program error
Medium5.8
3488039[Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 10.09.2024
Components: BC-DWB-SEM
Category: Program error
Medium5.4
3505503[CVE-2024-45280] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application)
Priority: Correction with medium priority
Released on: 10.09.2024
Components: BC-JAS-SEC-LGN
Category: Program error
Medium4.8
3498221[CVE-2024-44120] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 10.09.2024
Components: BC-PIN-PCD
Category: Program error
Medium4.7
3481588[CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer)
Priority: Correction with medium priority
Released on: 10.09.2024
Components: BW-BEX-ET-WB-7X
Category: Program error
Medium4.3
3505293[CVE-2024-44112] Missing Authorization check in SAP for Oil & Gas (Transportation and Distribution)
Priority: Correction with medium priority
Released on: 10.09.2024
Components: IS-OIL-DS-TD
Category: Program error
Medium4.3
3437585[CVE-2024-44121] Information Disclosure in SAP S/4 HANA (Statutory Reports)
Priority: Correction with medium priority
Released on: 27.08.2024
Components: FI-LOC-SRF-RUN
Category: Program error
Medium4.3
3481992[CVE-2024-44113] Information Disclosure vulnerability in the SAP Business Warehouse (BEx Analyzer)
Priority: Correction with medium priority
Released on: 10.09.2024
Components: BW-BEX-ET-WB-7X
Category: Program error
Medium4.3
2256627[CVE-2024-45284] Missing authorization check in SAP Student Life Cycle Management (SLcM)
Priority: Correction with low priority
Released on: 10.09.2024
Components: IS-HER-CM
Category: Program error
Low2.7
3496410[CVE-2024-41728] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with low priority
Released on: 10.09.2024
Components: BC-DWB-TOO-ABA
Category: Program error
Low2.7
3507252[CVE-2024-44114] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with low priority
Released on: 10.09.2024
Components: BC-ABA-LA
Category: Program error
Low2.0