SAP Security Patch Day – April 2024
Chapters
Share Article
As we approach the fourth SAP Security Patch Day of the year, the urgency of maintaining robust security measures remains indispensable! SAP has, once again, introduced a series of security patches, prompting us to explore the key highlights. This time, it is a moderate set of 12 notes. In the current digital era, it’s an all-too-familiar narrative – news stories abound with accounts of data breaches, ransomware attacks, and other cyber threats that threaten organizations. Often, these incidents share a common thread: the vulnerability of unpatched systems, which represents a significant weakness in defense against such threats.
These recurring headlines underscore the indispensable necessity of patch management in IT security. It’s a duty that organizations cannot afford to procrastinate or overlook. The repercussions of neglecting this vital component of security infrastructure are evident from numerous high-profile real-world examples.
At SecurityBridge, we recognize the critical significance of patch management and the complexities it presents for organizations. Our Patch Management solution is here to help, providing invaluable insights into the prevailing patching gaps across SAP landscapes. Furthermore, it empowers organizations to evaluate the potential ramifications of specific patches, even before implementation, by offering a comprehensive, landscape-wide overview of patching status.
SAP Security Patches April 2024
For April 2024, 10 new Security Notes have been released and 2 have been updated. What stands out is that there are no ‘Hot News’ notes in this release. But let that not be a reason to ‘lower your guard’! We explore some interesting highlights below.
Security-by-design and the issue of secure file integration
In this release, 3 notes have a ‘high’ priority. SAP note 3434839 describes how the User Management Engine (UME) of a Java system is vulnerable to the functions ‘Self-Registration’ and ‘Modify your own profile’. Looking at this vulnerability, underlines the importance of the ‘security by design’ principle.
SAP notes 3421384 and 3438234 are about different products but they share a common cause for vulnerabilities: insecure handling of file input from the user interface. Many vulnerabilities are related to this and can lead to ‘Path Traversal‘ attacks, for example. Why is this a problem? First, because an ‘attack’ is a problem by definition… But to be concrete: exploitation examples are the disclosure of important information from the application or other components, like the database or operating system. Or the upload of a malicious file that contains code that can be used as the next step of an attack. Very often these kinds of attacks have the potential to cause severe damage!
All three above vulnerabilities can be mitigated either by patching the component or by a workaround. Naturally, patching is recommended, but do consider the workaround if needed (see below).
Those authorization checks…
SAP notes 3442378, 3430173, and 3427178 all concern one of the most basic causes of improper data access: the missing authorization check! Rarely a patch round goes by without patches of this category. Just a simple search for this on last year’s SAP patches shows dozens of examples. Depending on the technology stack, these are implemented differently, but it shows how important it is to have this implemented consistently!
Integration technology stacks across the decades!
Reviewing security notes sometimes shows an interesting perspective on historical developments. SAP note 3442741 describes a ‘Stack overflow’ vulnerability for the ‘Edge Integration Cell’. A deployment option that provides BTP Integration Suite functionality but then in a Kubernetes container setup. It can be used as a hybrid integration option in a private / on-premise landscape. At the same time, SAP note 3421453 is about multiple XSS vulnerabilities for the SAP Business Connector. For those who can still remember it, yes it is still around! A clear example of how security is relevant for all technology stacks: new and old.
SecurityBridge for patching AND workarounds
As said, our Patch Management solution greatly helps organizations manage security patches across the SAP landscape. But did you know that SecurityBridge can also be used to assist with workarounds? Let’s take this month’s security note 3438234 as an example: the insecure ABAP program concerned here is RAALTE00, which is disabled when the patch is applied. The recommended workaround is to assign an authorization group (see note for details). The usage of programs like RAALTE00 can be closely monitored by SecurityBridge’s Threat Detection solution. So that whenever this program is started, an event is generated which can be reviewed in detail. This can be used to gather information on the usage of programs or to act swiftly whenever required. In fact: whenever a security note makes a direct reference to an insecure program like the above, SecurityBridge directly updates the recommended programs to monitor. With the automatic update functionality, controller systems at the customer side will receive this signature update without effort and are up-to-date in their protection!
SAP Security Notes April 2024
Highlights
No 'Hot News' notes in this month's release. A moderate set of items, compared to earlier releases.
Summary by Severity
The April release contains a total of 12 patches for the following severities:
Severity | Number | Hot News | 0 |
---|---|
High | 3 |
Medium | 9 |
Note | Description | Severity | CVSS |
---|---|---|---|
3434839 | [CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine Priority: Correction with high priority Released on: 09.04.2024 Components: BC-JAS-SEC-UME Category: Program error | High | 8.8 |
3421384 | [CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence Priority: Correction with high priority Released on: 09.04.2024 Components: BI-RA-WBI Category: Program error | High | 7.7 |
3438234 | [CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting Priority: Correction with high priority Released on: 09.04.2024 Components: FI-AA-AA-A Category: Program error | High | 7.2 |
3442741 | Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL) Priority: Correction with medium priority Released on: 09.04.2024 Components: LOD-HCI-PI-OP-NM Category: Program error | Medium | 6.8 |
3359778 | [CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform Priority: Correction with medium priority Released on: 09.04.2024 Components: BC-CST-DP Category: Program error | Medium | 6.5 |
3164677 | [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) Priority: Correction with medium priority Released on: 10.05.2022 Components: PA-FIO-LEA Category: Program error | Medium | 6.5 |
3442378 | [CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data) Priority: Correction with medium priority Released on: 09.04.2024 Components: FIN-CS-CDC-DC Category: Program error | Medium | 6.5 |
3156972 | [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) Priority: Correction with medium priority Released on: 08.08.2023 Components: MM-FIO-PUR-REQ-SSP Category: Program error | Medium | 6.1 |
3425188 | [CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tc~esi~esp~grmg~wshealthcheck~ear) Priority: Correction with medium priority Released on: 09.04.2024 Components: BC-ESI-WS-JAV-RT Category: Program error | Medium | 5.3 |
3421453 | [Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector Priority: Correction with medium priority Released on: 09.04.2024 Components: BC-MID-BUS Category: Program error | Medium | 4.8 |
3430173 | [CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management) Priority: Correction with medium priority Released on: 09.04.2024 Components: FIN-FSCM-CLM-BAM Category: Program error | Medium | 4.3 |
3427178 | [CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management) Priority: Correction with medium priority Released on: 09.04.2024 Components: FIN-FSCM-CLM-BAM Category: Program error | Medium | 4.3 |