SAP Security Patch Day – July 2024
Chapters
Share Article
We’ve entered the second half of 2024, marking the arrival of the SAP Security Patch Day for July. As always on the second Tuesday of the month, SAP issued a series of security patches, comprising a collection of 18 notes since the June release. Unpatched systems present significant risks when defending against threats. Many times, data breaches and other cyber attacks can occur because of missing patches. In essence, the importance of patching is well understood. However, it is a process that requires unwavering attention and proves to be complicated to execute consistently.
At SecurityBridge, we highly value the importance of patch management and recognize the complexity for organizations to manage it effectively. The SecurityBridge Patch Management solution greatly helps create insight into missing patches across an SAP landscape, including impact assessment of specific patches even before implementation. By presenting the status in a comprehensive and landscape-wide overview, this solution is an essential toolkit to strengthen the security posture of an SAP landscape.
SAP Security Patches July 2024
For July 2024, 16 new Security Notes have been released and 2 have been updated. As shown in the summary below there are no HotNews notes and only 2 have priority ‘High’. Although this means there are no very critical patches to look after, the other notes require due attention. Reviewing the security notes, most of them ‘simply’ means applying the relevant patches and possible manual corrections.
We will highlight some points of attention below.
Note 3490515: This describes a vulnerability in the ‘early login and registration’ feature of SAP Commerce. Note that SAP Commerce comes in a public and on-premise variant that requires different steps to remediate. Also, note the workaround as a temporary fix.
Note 3459379: This note was updated at the end of June with changed correction instructions. If relevant, make sure to double-check.
Note 3461110: the vulnerability described here concerns the SAP GUI for Windows. A component still very much used within organizations. The described issue can only occur when the user’s workstation is largely compromised. Still, it underlines the weakness of passwords in general and the added value of a secure alternative solution, like single-sign-on.
Note 3476348 and 3476340 both describe vulnerabilities with SAP Enable Now. Also here: note the difference in the cloud and on-premise variant. Depending on the variant, different actions are needed!
Keep a close eye!
Although this article is about patches and patch management, some of these items relate to other security areas too. Like note 3454858 for example. This note concerns possible ‘Information Disclosure’ when using certain function modules in an SAP ABAP system. Fixing the issue by applying the patch is one thing. But what about monitoring the usage of such function modules or other programs? Even if the issue is fixed, it is very valuable to know if and when these modules are used. This is where SecurityBridge Threat Detection comes into play. This way, real-time events can be generated to give actual insight into what happens in your SAP landscape. As for the note mentioned above, usage of the function module can be tracked and immediately investigated further to identify possible exploit attempts. With these insights, you can decisively enhance and fortify your security posture!
SAP Security Notes July 2024Highlights
A larger list of notes than previous months. No HotNews notes this time and lower criticality overall.
Summary by Severity
The July release contains a total of 18 patches for the following severities:
| Severity | Number | Hot News | 0 |
|---|---|
High | 2 |
Medium | 15 |
Low | 1 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3483344 | [CVE-2024-39592] Missing Authorization check in SAP PDCE Priority: Correction with high priority Released on: 09.07.2024 Components: FIN-BA Category: Program error | High | 7.7 |
| 3490515 | [CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce Priority: Correction with high priority Released on: 09.07.2024 Components: CEC-SCC-COM-BC-CS Category: Program error | High | 7.2 |
| 3466801 | [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-VCM-LVM Category: Program error | Medium | 6.9 |
| 3459379 | [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) Priority: Correction with medium priority Released on: 11.06.2024 Components: CA-GTF-DOB Category: Program error | Medium | 6.5 |
| 3468681 | [CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor Priority: Correction with medium priority Released on: 09.07.2024 Components: EP-PIN-WPC-WCM Category: Program error | Medium | 6.1 |
| 3482217 | [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation Priority: Correction with medium priority Released on: 09.07.2024 Components: BW-PLA-BPS Category: Program error | Medium | 6.1 |
| 3467377 | [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI) Priority: Correction with medium priority Released on: 09.07.2024 Components: CA-WUI-UI Category: Program error | Medium | 6.1 |
| 3457354 | [CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) Priority: Correction with medium priority Released on: 09.07.2024 Components: FIN-FSCM-PF-IHB Category: Program error | Medium | 5.4 |
| 3483993 | [CVE-2024-34689] Prerequisite for Security Note 3458789 Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-BMT-WFM Category: Program error | Medium | 5.0 |
| 3485805 | [CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services) Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-BMT-WFM Category: Upgrade information | Medium | 5.0 |
| 3469958 | [CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal) Priority: Correction with medium priority Released on: 09.07.2024 Components: TM-CP Category: Program error | Medium | 5.0 |
| 3461110 | [CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-FES-GUI Category: Program error | Medium | 5.0 |
| 3458789 | [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-BMT-WFM Category: Program error | Medium | 5.0 |
| 3456952 | [CVE-2024-39599] Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-MID-ICF Category: Program error | Medium | 4.7 |
| 3476348 | [CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable Now Priority: Correction with medium priority Released on: 09.07.2024 Components: KM-SEN-MGR Category: Upgrade information | Medium | 4.3 |
| 3101986 | Prepare CSP support for On-Premise down port for code dependency in SAP CRM WebClient UI Priority: Correction with medium priority Released on: 12.04.2022 Components: CA-WUI-UI Category: Program error | Medium | 4.1 |
| 3454858 | [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-SRV-DX-DXW Category: Program error | Medium | 4.1 |
| 3476340 | [CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now Priority: Correction with low priority Released on: 09.07.2024 Components: KM-SEN-MGR Category: Upgrade information | Low | 3.3 |
