SAP Security Patch Day – October 2024
Chapters
Share Article
There we go again, it’s Patch Tuesday! This month, SAP has released 12 new / updated security notes that deserve close attention from any SAP Security professional. As always, we will dive into the highlights but not without underlining our message that may sound like a broken record to some: take all security patches seriously and make sure this is secured in a clear Patch Management process. Known vulnerabilities are one of the main entry points to systems and data for malicious actors, so let’s make sure those are shut down!
Applying patches to stay secure sounds like a no-brainer but effective Patch Management proves to be a challenge to many organizations, especially in a complex SAP landscape. The SecurityBridge Patch Management solution greatly helps to lift that load by identifying missing security patches across the landscape and by providing essential information to effectively manage this part of vulnerability management.
Security notes - October 2024
As said, there are 12 security notes that we need to review this month. That is not a huge number but remember it is not the number that counts but identifying what notes are relevant for your landscape. To make a non-IT analogy: a burglar does not need 12 ways into your house, one way will do just fine…
HotNews
SAP note 3479478 has again been updated this month and that’s the 3rd time in a row this note is part of the monthly release. This time, a patch has been made available for version 420 of the Business Objects platform. So should you have applied a workaround so far, there is a patch available now.
High priority
Many software packages make use of open source libraries and with SAP packages that is no exception. When there is an issue with those libraries, a software patch is required to make sure secure versions of those libraries are used. SAP note 3523541 describes such a situation for SAP Enterprise Project Connection. So if you need this component for integration scenarios, please apply the patch!
SAP note 3478615 addresses once again a vulnerability that allows malicious file uploads. Looking back at the monthly patch rounds of last year, it is remarkable how this is a common attack vector. This time, it concerns the Business Objects platform on the Web Intelligence component. Very important: applying the patch is not enough! You need to create a file on the server as described in the note to really fix this vulnerability.
SAP note 3483344 concerns an update about a missing authorization check for which there is now also a patch available for SEM-BW systems. If you have systems with these components, review and apply the patch where needed.
Medium priority
All other notes of this month’s release have a medium priority and are either new or updated. Most of the notes simply require the patch or correction to be applied. Some highlights are:
- Note 3520100: this vulnerability affects the SAP HANA client, a separate client that can be installed to integrate 3rd party systems with SAP HANA databases. This is a typical example of an application that is overlooked in IT landscapes. Take note of the update when using the client!
- Note 3481588: the note has been updated with correction instructions for SAP BW 700 to 702 releases. Review if applicable.
- Note 3479293: this note turns out to be only relevant for product SLCM or the switch ISHERCM_MAIN is activated.
- Note 3454858: manual instructions have been extensively enhancement. Review if applicable.
SAP Security Notes October 2024
Highlights
A relatively low number of patches this month. More than half concern updates to existing notes.
Summary by Severity
The October release contains a total of 12 patches for the following severities:
| Severity | Number | Hot News | 1 |
|---|---|
High | 3 |
Medium | 8 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3479478 | [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform Priority: HotNews Released on: 13.08.2024 Components: BI-BIP-INV Category: Program error | Hot News | 9.8 |
| 3523541 | [CVE-2022-23302] Multiple vulnerabilities in SAP Enterprise Project Connection Priority: Correction with high priority Released on: 08.10.2024 Components: CA-EPC Category: Program error | High | 8.0 |
| 3478615 | [CVE-2024-37179] Insecure File Operations vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Priority: Correction with high priority Released on: 08.10.2024 Components: BI-RA-WBI-BE Category: Program error | High | 7.7 |
| 3483344 | [CVE-2024-39592] Missing Authorization check in SAP PDCE Priority: Correction with high priority Released on: 09.07.2024 Components: FIN-BA Category: Program error | High | 7.7 |
| 3477359 | [CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service) Priority: Correction with medium priority Released on: 10.09.2024 Components: BC-JAS-SEC-DST Category: Program error | Medium | 6.0 |
| 3507545 | [CVE-2024-45278] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice Priority: Correction with medium priority Released on: 08.10.2024 Components: CEC-SCC-CDM-BO-APP Category: Program error | Medium | 5.4 |
| 3503462 | [CVE-2024-47594] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC) Priority: Correction with medium priority Released on: 08.10.2024 Components: EP-KM-ADM-CFG Category: Program error | Medium | 5.4 |
| 3520100 | [CVE-2024-45277] Prototype Pollution vulnerability in SAP HANA Client Priority: Correction with medium priority Released on: 08.10.2024 Components: HAN-DB-CLI Category: Program error | Medium | 4.3 |
| 3251893 | [CVE-2024-45282] HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements) Priority: Correction with medium priority Released on: 24.09.2024 Components: FI-FIO-AR Category: Program error | Medium | 4.3 |
| 3481588 | [CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer) Priority: Correction with medium priority Released on: 10.09.2024 Components: BW-BEX-ET-WB-7X Category: Program error | Medium | 4.3 |
| 3479293 | [CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) Priority: Correction with medium priority Released on: 13.08.2024 Components: IS-HER-CM-AD Category: Program error | Medium | 4.3 |
| 3454858 | [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-SRV-DX-DXW Category: Program error | Medium | 4.1 |
