For some, it might feel like 2024 has just started – but it is already time for the second SAP Security Patch Day of the year! SAP has again released several security patches: we will look into them and share some highlights, as always. Not a month goes by without ‘breaking news’ about data breaches, ransomware, or other attacks organizations are forced to battle against. Based on the released information, ‘unpatched’ systems often play a role in these headache situations. It is all the more reason to keep iterating the message of taking patch management seriously. Don’t let this vital task in IT security drop on the priority list, there are many examples out there of why you shouldn’t!
At SecurityBridge, we highly value the importance of patch management and recognize the complexity for organizations to manage it effectively. The SecurityBridge Patch Management solution greatly helps in creating insight into missing patches across an SAP landscape, including impact assessment of specific patches even before implementation. By presenting the status in a comprehensive and landscape-wide overview, this solution is an essential toolkit to strengthen the security posture of an SAP landscape.
SAP Security Patches February 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Let’s look at some highlights, starting with the ‘HotNews’ notes.
This month concerns 2 HotNews notes, although one of these is the ‘ever returning’ note 2622660 concerning Google Chromium and SAP Business Client. We have mentioned this note many times in our previous blogs. Please review if applicable, and note that this month, the update concerns CVSS 8.8.
Note 3420923 is newly released and describes a vulnerability in the SAP ABA component for the ‘Web Survey’ functionality (CA-SUR). The interface can allow an attacker to read or modify any business data and make the system completely unavailable. Apart from patching, the issue can also be addressed with a workaround. Note 3415038 should describe this, but at the time of writing, the note is still being created by SAP. So keep checking for this note if you need the workaround and more details!
SAP IDES is "just a demo system" - SecurityBridge proves otherwise!
SAP IDES stands for “Internet Demonstration and Evaluation System” and is a well-known system type in the SAP community. It is packed with example data and business processes for a model company and is meant to showcase SAP implementation scenarios to be evaluated by (potential) customers.
An SAP IDES system is a typical example of a system that is often thought of as ‘irrelevant’ for IT security. Because why would such a system be a security risk? There is no customer data in there and it is just a demo system, right? Reality can be quite different though, for several reasons. Some examples we have come across are:
- Processing of real customer data in SAP IDES.
- Setup of interfaces/connectivity between SAP IDES and customer systems.
- Installation of SAP IDES in productive networks.
These examples often exist to enhance demo scenarios or for convenience reasons, like network access by users. Whatever the reason, such setups can introduce serious security risks and should be avoided. SAP note 3421659 is a perfect example. The SecurityBridge Research Lab discovered this RCE vulnerability on SAP IDES, which allows code execution on the OS level. Such a vulnerability can be the ‘perfect’ way in for an attacker as a first step to gain access to customer systems and data!
If you have an SAP IDES system installed in your landscape, apply the correction using the supplied transport from the note. And closely review the setup of your IDES system for customer data and clear separation from the IDES system on the application and network levels.
Security notes with 'High' to 'Low' priority
Most vulnerabilities only require patching of the concerned software component. Below we share some additional remarks concerning the other released security notes for February 2024:
- Note 3417627: describes an XSS vulnerability on AS Java with a CVSS of 8.8. Only relevant if note 3251396 has been installed.
- Note 3426111: describes a ‘classic’ XXE vulnerability on AS Java on XML parsing with a CVSS of 8.6. A workaround is available.
- Note 3424610: describes a certification validation vulnerability on the SAP Cloud Connector (SCC). Take special care to update all SCC installations. This component plays a vital role in the communication between the SAP BTP Platform and on-premise landscapes.
- Note 3385711: only textually updated.
- Note 3404025: describes an XSS vulnerability on SAP Companion. Patching is only required for SAP Companion on-premise customers.
- Note 3360827: describes an Information Disclosure vulnerability on AS ABAP which requires patching of the SAP kernel. Take special care here for the patching process as described in the note. The patch may not be available yet!
- Note 3363690: this security note was released earlier but now contains updated correction instructions. Review these if applicable.
SAP Security Notes February 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated.
Summary by Severity
The February release contains a total of 16 patches for the following severities: