Skip to content

SAP Security Patch Day – January 2024

SAP Security Patch Tuesday 2024

Posted by

Gert-Jan Koster

Find recent Security Advisories for SAP©

While many have enjoyed a short break to close off the year 2023 and start afresh, the continuous wheel of patch management keeps spinning! So is the case today on this first SAP Security Patch Day of 2024, where SAP has released another set of Security Patches. As always, we will dive into these and discuss some highlights, starting with the so-called ‘HotNews’ notes with the highest priority. Patch management may seem a repetitive and perhaps even tedious task at times but remember that many security incidents and data breaches happen because of outdated or unpatched software. So we cannot repeat enough: take patch management seriously, analyze it, and implement it accordingly. It is of vital importance!

At SecurityBridge, we fully understand the importance of patch management and recognize the complexity for organizations to arrange this effectively. The SecurityBridge Patch Management solution greatly helps in creating insight into missing patches across an SAP landscape including impact assessment of specific patches even before implementation. Presenting the status in a comprehensive and landscape-wide overview, the solution is an essential toolkit to strengthen the security posture of an SAP landscape.

SAP Security Patches January 2024

For January 2024, 10 new Security Notes have been released and 2 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes which all have a CVSS score of 9.1 this month.

HotNews notes for SAP BTP Security

With the adoption and enhancement of the SAP Business Technology Platform (BTP), it is only logical to also expect an increase in Security Notes. 

In December 2023, Security Note 3411067 was released which addressed a possible escalation of privileges for SAP BTP Security Services Integration Libraries. The note has been updated but does not require additional action. More clarification has been given and an extensive FAQ note has been added: note 3411661. It is strongly recommended to all SAP BTP customers to review these notes and make sure the required updates have been applied. 

While note 3411067 does not require additional action, 2 new ‘HotNews’ notes have been released that are closely related to the mentioned libraries which demonstrates the extend of the vulnerabilities these contain:

The ‘Edge Integration Cell’ uses the same (sub)set of libraries and is therefore also affected. This is described in ‘HotNews’ Security Note 3413475. The ‘Edge Integration Cell’ is a relatively new deployment option that enables a ‘hybrid integration runtime’ in a private / on-premise landscape, based on BTP Integration Suite functionality. Technically, the solution is deployed as a Kubernetes container, and fixing the vulnerabilities of note 3413475 is a matter of upgrading the container to a newer version. For more information about the ‘Edge Integration Cell’, see SAP help and this blog.

Applications developed through the SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for HANA can also be affected when using affected library versions. This is described in ‘HotNews’ Security Note 3412456. Again, these applications need to be revised to use the latest libraries.

Security notes with 'High' to 'Low' priority

Besides the ‘HotNews’ notes which are about the SAP BTP platform, the notes with a lower priority concern a wide array of components. Some of these notes only require patching of the concerned software component. See below for some highlights and extra remarks:

  • Note 3389917: describes a possible DoS attack on the SAP Web Dispatcher and ICM components in NetWeaver ABAP. This is only relevant for the HTTP/2 protocol. Note the distinct differences in affected versions. Patching is required but a workaround is also available.
  • Note 3386378: to solve the Information Disclosure vulnerability, only an update of the Microsoft Edge Extension is needed, not the SAP GUI. A workaround is also available.
  • Note 3407617: to fix the authorization check issue, note the manual activities that are required.
  • Note 3324732: this note has been re-released but does not require additional customer action.
  • Note 3392626: to solve the Information Disclosure vulnerability in the SAP Web Dispatcher and ICM components, patching is required but a workaround is also available. 
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

SAP Security Notes January 2024

Highlights

For January 2024, 10 new Security Notes have been released and 2 have been updated. The 'HotNews' notes all concern the SAP Business Technology Platform (BTP).

Summary by Severity

The January release contains a total of 12 patches for the following severities:

SeverityNumber
Hot News
3
High
4
Medium
4
Low
1
NoteDescriptionSeverityCVSS
3413475[Multiple CVEs] Escalation of Privileges in SAP Edge Integration Cell
Priority: HotNews
Released on: 09.01.2024
Components: BC-CP-IS-EDG-DPL
Category: Program error
Hot News9.1
3412456[CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA
Priority: HotNews
Released on: 09.01.2024
Components: CA-BAS-S8D
Category: Program error
Hot News9.1
3411067[Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries
Priority: HotNews
Released on: 12.12.2023
Components: BC-CP-CF-SEC-LIB
Category: Program error
Hot News9.1
3411869[CVE-2024-21737] Code Injection vulnerability in SAP Application Interface Framework (File Adapter)
Priority: Correction with high priority
Released on: 09.01.2024
Components: BC-SRV-AIF
Category: Program error
High8.4
3389917[CVE-2023-44487] Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform
Priority: Correction with high priority
Released on: 09.01.2024
Components: BC-CST-IC
Category: Program error
High7.5
3386378[CVE-2024-22125] Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge)
Priority: Correction with high priority
Released on: 09.01.2024
Components: BC-FES-CTL
Category: Program error
High7.4
3407617[CVE-2024-21735] Improper Authorization check in SAP LT Replication Server
Priority: Correction with high priority
Released on: 09.01.2024
Components: CA-LT-SLT
Category: Program error
High7.3
3260667[CVE-2024-21736] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)
Priority: Correction with medium priority
Released on: 09.01.2024
Components: FIN-FSCM-PF-IHB
Category: Program error
Medium6.4
3324732[CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
Priority: Correction with medium priority
Released on: 11.07.2023
Components: BC-JAS-SEC
Category: Program error
Medium5.3
3392626[CVE-2024-22124] Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager
Priority: Correction with medium priority
Released on: 09.01.2024
Components: BC-CST-IC
Category: Program error
Medium4.1
3387737[CVE-2024-21738] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform
Priority: Correction with medium priority
Released on: 09.01.2024
Components: BC-SRV-COM
Category: Program error
Medium4.1
3190894[CVE-2024-21734] URL Redirection vulnerability in SAP Marketing (Contacts App)
Priority: Correction with low priority
Released on: 09.01.2024
Components: CEC-MKT-DM-CON
Category: Program error
Low3.7
hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.