Skip to content

SAP Security Patch Day – February 2024

SAP Security Patch Tuesday 2024

Posted by

Gert-Jan Koster

Find recent Security Advisories for SAP©

For some, it might feel like 2024 has just started – but it is already time for the second SAP Security Patch Day of the year! SAP has again released several security patches: we will look into them and share some highlights, as always. Not a month goes by without ‘breaking news’ about data breaches, ransomware, or other attacks organizations are forced to battle against. Based on the released information, ‘unpatched’ systems often play a role in these headache situations. It is all the more reason to keep iterating the message of taking patch management seriously. Don’t let this vital task in IT security drop on the priority list, there are many examples out there of why you shouldn’t!

At SecurityBridge, we highly value the importance of patch management and recognize the complexity for organizations to manage it effectively. The SecurityBridge Patch Management solution greatly helps in creating insight into missing patches across an SAP landscape, including impact assessment of specific patches even before implementation. By presenting the status in a comprehensive and landscape-wide overview, this solution is an essential toolkit to strengthen the security posture of an SAP landscape.

SAP Security Patches February 2024

For February 2024, 13 new Security Notes have been released and 3 have been updated. Let’s look at some highlights, starting with the ‘HotNews’ notes.

HotNews

This month concerns 2 HotNews notes, although one of these is the ‘ever returning’ note 2622660 concerning Google Chromium and SAP Business Client. We have mentioned this note many times in our previous blogs. Please review if applicable, and note that this month, the update concerns CVSS 8.8. 

Note 3420923 is newly released and describes a vulnerability in the SAP ABA component for the ‘Web Survey’ functionality (CA-SUR). The interface can allow an attacker to read or modify any business data and make the system completely unavailable. Apart from patching, the issue can also be addressed with a workaround. Note 3415038 should describe this, but at the time of writing, the note is still being created by SAP. So keep checking for this note if you need the workaround and more details!

SAP IDES is "just a demo system" - SecurityBridge proves otherwise!

SAP IDES stands for “Internet Demonstration and Evaluation System” and is a well-known system type in the SAP community. It is packed with example data and business processes for a model company and is meant to showcase SAP implementation scenarios to be evaluated by (potential) customers. 

An SAP IDES system is a typical example of a system that is often thought of as ‘irrelevant’ for IT security. Because why would such a system be a security risk? There is no customer data in there and it is just a demo system, right? Reality can be quite different though, for several reasons. Some examples we have come across are:

  • Processing of real customer data in SAP IDES.
  • Setup of interfaces/connectivity between SAP IDES and customer systems.
  • Installation of SAP IDES in productive networks. 

 

These examples often exist to enhance demo scenarios or for convenience reasons, like network access by users. Whatever the reason, such setups can introduce serious security risks and should be avoided. SAP note 3421659 is a perfect example. The SecurityBridge Research Lab discovered this RCE vulnerability on SAP IDES, which allows code execution on the OS level. Such a vulnerability can be the ‘perfect’ way in for an attacker as a first step to gain access to customer systems and data! 

If you have an SAP IDES system installed in your landscape, apply the correction using the supplied transport from the note. And closely review the setup of your IDES system for customer data and clear separation from the IDES system on the application and network levels.

Security notes with 'High' to 'Low' priority

Most vulnerabilities only require patching of the concerned software component. Below we share some additional remarks concerning the other released security notes for February 2024:

  • Note 3417627: describes an XSS vulnerability on AS Java with a CVSS of 8.8. Only relevant if note 3251396 has been installed. 
  • Note 3426111: describes a ‘classic’ XXE vulnerability on AS Java on XML parsing with a CVSS of 8.6. A workaround is available.
  • Note 3424610: describes a certification validation vulnerability on the SAP Cloud Connector (SCC). Take special care to update all SCC installations. This component plays a vital role in the communication between the SAP BTP Platform and on-premise landscapes.
  • Note 3385711: only textually updated.
  • Note 3404025: describes an XSS vulnerability on SAP Companion. Patching is only required for SAP Companion on-premise customers.
  • Note 3360827: describes an Information Disclosure vulnerability on AS ABAP which requires patching of the SAP kernel. Take special care here for the patching process as described in the note. The patch may not be available yet!
  • Note 3363690: this security note was released earlier but now contains updated correction instructions. Review these if applicable.
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

SAP Security Notes February 2024

Highlights

For February 2024, 13 new Security Notes have been released and 3 have been updated.

Summary by Severity

The February release contains a total of 16 patches for the following severities:

SeverityNumber
Hot News
2
High
6
Medium
7
Low
1
NoteDescriptionSeverityCVSS
2622660Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News10.0
3420923[CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis)
Priority: HotNews
Released on: 13.02.2024
Components: CA-SUR
Category: Program error
Hot News9.1
3417627[CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)
Priority: Correction with high priority
Released on: 13.02.2024
Components: BC-JAS-SEC-UME
Category: Program error
High8.8
3426111[CVE-2024-24743] XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)
Priority: Correction with high priority
Released on: 13.02.2024
Components: BC-GP
Category: Program error
High8.6
3410875[CVE-2024-22130] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with high priority
Released on: 13.02.2024
Components: CA-WUI-UI
Category: Program error
High7.6
3421659[CVE-2024-22132] Code Injection vulnerability in SAP IDES Systems
Priority: Correction with high priority
Released on: 13.02.2024
Components: XX-IDES
Category: Program error
High7.4
3424610[CVE-2024-25642] Improper Certificate Validation in SAP Cloud Connector
Priority: Correction with high priority
Released on: 13.02.2024
Components: BC-MID-SCC
Category: Program error
High7.4
3385711[CVE-2023-49580] Information disclosure vulnerability in SAP NetWeaver Application Server ABAP
Priority: Correction with high priority
Released on: 12.12.2023
Components: BC-FES-WGU
Category: Program error
High7.3
2637727[CVE-2024-24739] Missing authorization check in SAP Bank Account Management
Priority: Correction with medium priority
Released on: 13.02.2024
Components: FIN-FSCM-CLM
Category: Program error
Medium6.3
3404025[CVE-2024-22129] Cross-Site Scripting (XSS) vulnerability in SAP Companion
Priority: Correction with medium priority
Released on: 13.02.2024
Components: KM-SEN-CMP
Category: Program error
Medium5.4
3360827[CVE-2024-24740] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel)
Priority: Correction with medium priority
Released on: 13.02.2024
Components: BC-FES-ITS
Category: Program error
Medium5.3
3396109[CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML
Priority: Correction with medium priority
Released on: 13.02.2024
Components: BC-FES-BUS
Category: Program error
Medium4.7
2897391[CVE-2024-24741] Missing Authorization check in SAP Master Data Governance Material
Priority: Correction with medium priority
Released on: 01.02.2024
Components: CA-MDG-APP-MM
Category: Program error
Medium4.3
3237638[CVE-2024-25643] Missing authorization check in SAP Fiori app ("My Overtime Requests")
Priority: Correction with medium priority
Released on: 13.02.2024
Components: PA-FIO-OVT
Category: Program error
Medium4.3
3158455[CVE-2024-24742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 13.02.2024
Components: CA-WUI-WKB
Category: Program error
Medium4.1
3363690[CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance
Priority: Correction with low priority
Released on: 12.12.2023
Components: CA-MDG-ML
Category: Program error
Low3.5
hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.