Skip to content

SAP Security Patch Day – October 2024

ebde76d0d55c1a42c8ff2d0159c52217?s=96&d=mm&r=g
Gert-Jan Koster
SAP Security specialist
October 8, 2024
5 min read

Chapters

Share Article

SAP Security Patch Tuesday 2024

There we go again, it’s Patch Tuesday! This month, SAP has released 12 new / updated security notes that deserve close attention from any SAP Security professional. As always, we will dive into the highlights but not without underlining our message that may sound like a broken record to some: take all security patches seriously and make sure this is secured in a clear Patch Management process. Known vulnerabilities are one of the main entry points to systems and data for malicious actors, so let’s make sure those are shut down!

Applying patches to stay secure sounds like a no-brainer but effective Patch Management proves to be a challenge to many organizations, especially in a complex SAP landscape. The SecurityBridge Patch Management solution greatly helps to lift that load by identifying missing security patches across the landscape and by providing essential information to effectively manage this part of vulnerability management.


Security notes - October 2024

As said, there are 12 security notes that we need to review this month. That is not a huge number but remember it is not the number that counts but identifying what notes are relevant for your landscape. To make a non-IT analogy: a burglar does not need 12 ways into your house, one way will do just fine…

HotNews

SAP note 3479478 has again been updated this month and that’s the 3rd time in a row this note is part of the monthly release. This time, a patch has been made available for version 420 of the Business Objects platform. So should you have applied a workaround so far, there is a patch available now.

High priority

Many software packages make use of open source libraries and with SAP packages that is no exception. When there is an issue with those libraries, a software patch is required to make sure secure versions of those libraries are used. SAP note 3523541 describes such a situation for SAP Enterprise Project Connection. So if you need this component for integration scenarios, please apply the patch!

SAP note 3478615 addresses once again a vulnerability that allows malicious file uploads. Looking back at the monthly patch rounds of last year, it is remarkable how this is a common attack vector. This time, it concerns the Business Objects platform on the Web Intelligence component. Very important: applying the patch is not enough! You need to create a file on the server as described in the note to really fix this vulnerability.

SAP note 3483344 concerns an update about a missing authorization check for which there is now also a patch available for SEM-BW systems. If you have systems with these components, review and apply the patch where needed.

Medium priority

All other notes of this month’s release have a medium priority and are either new or updated. Most of the notes simply require the patch or correction to be applied. Some highlights are:

  • Note 3520100: this vulnerability affects the SAP HANA client, a separate client that can be installed to integrate 3rd party systems with SAP HANA databases. This is a typical example of an application that is overlooked in IT landscapes. Take note of the update when using the client!
  • Note 3481588: the note has been updated with correction instructions for SAP BW 700 to 702 releases. Review if applicable.
  • Note 3479293: this note turns out to be only relevant for product SLCM or the switch ISHERCM_MAIN is activated.
  • Note 3454858: manual instructions have been extensively enhancement. Review if applicable.

SAP Security Notes October 2024

Highlights

A relatively low number of patches this month. More than half concern updates to existing notes.

Summary by Severity

The October release contains a total of 12 patches for the following severities:

SeverityNumber
Hot News
1
High
3
Medium
8
NoteDescriptionSeverityCVSS
3479478[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
Priority: HotNews
Released on: 13.08.2024
Components: BI-BIP-INV
Category: Program error
Hot News9.8
3523541[CVE-2022-23302] Multiple vulnerabilities in SAP Enterprise Project Connection
Priority: Correction with high priority
Released on: 08.10.2024
Components: CA-EPC
Category: Program error
High8.0
3478615[CVE-2024-37179] Insecure File Operations vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
Priority: Correction with high priority
Released on: 08.10.2024
Components: BI-RA-WBI-BE
Category: Program error
High7.7
3483344[CVE-2024-39592] Missing Authorization check in SAP PDCE
Priority: Correction with high priority
Released on: 09.07.2024
Components: FIN-BA
Category: Program error
High7.7
3477359[CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service)
Priority: Correction with medium priority
Released on: 10.09.2024
Components: BC-JAS-SEC-DST
Category: Program error
Medium6.0
3507545[CVE-2024-45278] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice
Priority: Correction with medium priority
Released on: 08.10.2024
Components: CEC-SCC-CDM-BO-APP
Category: Program error
Medium5.4
3503462[CVE-2024-47594] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC)
Priority: Correction with medium priority
Released on: 08.10.2024
Components: EP-KM-ADM-CFG
Category: Program error
Medium5.4
3520100[CVE-2024-45277] Prototype Pollution vulnerability in SAP HANA Client
Priority: Correction with medium priority
Released on: 08.10.2024
Components: HAN-DB-CLI
Category: Program error
Medium4.3
3251893[CVE-2024-45282] HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)
Priority: Correction with medium priority
Released on: 24.09.2024
Components: FI-FIO-AR
Category: Program error
Medium4.3
3481588[CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer)
Priority: Correction with medium priority
Released on: 10.09.2024
Components: BW-BEX-ET-WB-7X
Category: Program error
Medium4.3
3479293[CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM)
Priority: Correction with medium priority
Released on: 13.08.2024
Components: IS-HER-CM-AD
Category: Program error
Medium4.3
3454858[CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 09.07.2024
Components: BC-SRV-DX-DXW
Category: Program error
Medium4.1