January 9, 2024

SAP Security Patch Day – January 2024

Posted by

Gert-Jan Koster

Find recent Security Advisories for SAP©

While many have enjoyed a short break to close off the year 2023 and start afresh, the continuous wheel of patch management keeps spinning! So is the case today on this first SAP Security Patch Day of 2024, where SAP has released another set of Security Patches. As always, we will dive into these and discuss some highlights, starting with the so-called ‘HotNews’ notes with the highest priority. Patch management may seem a repetitive and perhaps even tedious task at times but remember that many security incidents and data breaches happen because of outdated or unpatched software. So we cannot repeat enough: take patch management seriously, analyze it, and implement it accordingly. It is of vital importance!

At SecurityBridge, we fully understand the importance of patch management and recognize the complexity for organizations to arrange this effectively. The SecurityBridge Patch Management solution greatly helps in creating insight into missing patches across an SAP landscape including impact assessment of specific patches even before implementation. Presenting the status in a comprehensive and landscape-wide overview, the solution is an essential toolkit to strengthen the security posture of an SAP landscape.

SAP Security Patches January 2024

For January 2024, 10 new Security Notes have been released and 2 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes which all have a CVSS score of 9.1 this month.

HotNews notes for SAP BTP Security

With the adoption and enhancement of the SAP Business Technology Platform (BTP), it is only logical to also expect an increase in Security Notes.

In December 2023, Security Note 3411067 was released which addressed a possible escalation of privileges for SAP BTP Security Services Integration Libraries. The note has been updated but does not require additional action. More clarification has been given and an extensive FAQ note has been added: note 3411661. It is strongly recommended to all SAP BTP customers to review these notes and make sure the required updates have been applied.

While note 3411067 does not require additional action, 2 new ‘HotNews’ notes have been released that are closely related to the mentioned libraries which demonstrates the extend of the vulnerabilities these contain:

The ‘Edge Integration Cell’ uses the same (sub)set of libraries and is therefore also affected. This is described in ‘HotNews’ Security Note 3413475. The ‘Edge Integration Cell’ is a relatively new deployment option that enables a ‘hybrid integration runtime’ in a private / on-premise landscape, based on BTP Integration Suite functionality. Technically, the solution is deployed as a Kubernetes container, and fixing the vulnerabilities of note 3413475 is a matter of upgrading the container to a newer version. For more information about the ‘Edge Integration Cell’, see SAP help and this blog.

Applications developed through the SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for HANA can also be affected when using affected library versions. This is described in ‘HotNews’ Security Note 3412456. Again, these applications need to be revised to use the latest libraries.

Security notes with 'High' to 'Low' priority

Besides the ‘HotNews’ notes which are about the SAP BTP platform, the notes with a lower priority concern a wide array of components. Some of these notes only require patching of the concerned software component. See below for some highlights and extra remarks:

Note 3389917: describes a possible DoS attack on the SAP Web Dispatcher and ICM components in NetWeaver ABAP. This is only relevant for the HTTP/2 protocol. Note the distinct differences in affected versions. Patching is required but a workaround is also available.
Note 3386378: to solve the Information Disclosure vulnerability, only an update of the Microsoft Edge Extension is needed, not the SAP GUI. A workaround is also available.
Note 3407617: to fix the authorization check issue, note the manual activities that are required.
Note 3324732: this note has been re-released but does not require additional customer action.
Note 3392626: to solve the Information Disclosure vulnerability in the SAP Web Dispatcher and ICM components, patching is required but a workaround is also available.

SAP Security Notes January 2024

Highlights

For January 2024, 10 new Security Notes have been released and 2 have been updated. The 'HotNews' notes all concern the SAP Business Technology Platform (BTP).

Summary by Severity

The January release contains a total of 12 patches for the following severities:

Severity	Number
Hot News	3
High	4
Medium	4
Low	1

Note	Description	Severity	CVSS
3413475	[Multiple CVEs] Escalation of Privileges in SAP Edge Integration Cell Priority: HotNews Released on: 09.01.2024 Components: BC-CP-IS-EDG-DPL Category: Program error	Hot News	9.1
3412456	[CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA Priority: HotNews Released on: 09.01.2024 Components: CA-BAS-S8D Category: Program error	Hot News	9.1
3411067	[Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries Priority: HotNews Released on: 12.12.2023 Components: BC-CP-CF-SEC-LIB Category: Program error	Hot News	9.1
3411869	[CVE-2024-21737] Code Injection vulnerability in SAP Application Interface Framework (File Adapter) Priority: Correction with high priority Released on: 09.01.2024 Components: BC-SRV-AIF Category: Program error	High	8.4
3389917	[CVE-2023-44487] Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform Priority: Correction with high priority Released on: 09.01.2024 Components: BC-CST-IC Category: Program error	High	7.5
3386378	[CVE-2024-22125] Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) Priority: Correction with high priority Released on: 09.01.2024 Components: BC-FES-CTL Category: Program error	High	7.4
3407617	[CVE-2024-21735] Improper Authorization check in SAP LT Replication Server Priority: Correction with high priority Released on: 09.01.2024 Components: CA-LT-SLT Category: Program error	High	7.3
3260667	[CVE-2024-21736] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) Priority: Correction with medium priority Released on: 09.01.2024 Components: FIN-FSCM-PF-IHB Category: Program error	Medium	6.4
3324732	[CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) Priority: Correction with medium priority Released on: 11.07.2023 Components: BC-JAS-SEC Category: Program error	Medium	5.3
3392626	[CVE-2024-22124] Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager Priority: Correction with medium priority Released on: 09.01.2024 Components: BC-CST-IC Category: Program error	Medium	4.1
3387737	[CVE-2024-21738] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform Priority: Correction with medium priority Released on: 09.01.2024 Components: BC-SRV-COM Category: Program error	Medium	4.1
3190894	[CVE-2024-21734] URL Redirection vulnerability in SAP Marketing (Contacts App) Priority: Correction with low priority Released on: 09.01.2024 Components: CEC-MKT-DM-CON Category: Program error	Low	3.7