SAP Security Patch Day – June 2024
Chapters
Share Article
As we approach the sixth SAP Security Patch Day of the year, upholding robust security measures remains paramount. Once again, SAP has issued a series of security patches, this time the update comprises a moderate collection of 12 notes. In today’s digital landscape, it’s a narrative that rings all too familiar – headlines saturated with reports of data breaches, ransomware attacks, and other cyber threats that cast a shadow over organizations. Frequently, these incidents share a common vulnerability: unpatched systems, which serve as a significant vulnerability in the defense against such threats.
These recurring headlines underscore the essential nature of patch management in IT security. It’s a responsibility that organizations cannot afford to overlook or postpone. The repercussions of neglecting this vital security infrastructure component are apparent from numerous high-profile real-world examples.
At SecurityBridge, we recognize the critical importance of patch management and the obstacles it presents for organizations. That’s why our Patch Management solution is crafted to provide assistance, furnishing invaluable insights into existing patching gaps within SAP landscapes. Moreover, it empowers organizations to proactively evaluate the potential impacts of specific patches, offering a comprehensive overview of patching status across the entire landscape, even before implementation.
SAP Security Patches June 2024
For June 2024, 10 new Security Notes have been released and 2 have been updated at the end of May. That is a moderate list and interestingly, there are no HotNews updates this time either. That’s no reason to take this month’s release lightly though.
Reviewing the security notes, we see vulnerabilities in the area of Cross-Site Scripting (XSS), Denial-Of-Service, malicious file uploads, Information Disclosure, and missing authorization checks. We have seen all these ‘usual suspects’ coming by in the (recent) past and they will sure keep coming in the future. Let’s further explore the notes from the perspective of these categories.
Cross-Site Scripting (XSS)
In this release, 3 notes address Cross-Site Scripting vulnerabilities, ranging from CVSS 6.1 to 8.1. XSS attacks are a type of attack where malicious scripts are injected that compromise the interaction between users and a web application.
- Note 3457592: describes 2 issues within SAP Financial Consolidation: CVE-2024-37177 and CVE-2024-37178.
- Note 3465129: describes an issue with WebClient UI of SAP CRM: CVE-2024-34686.
- Note 3450286: this is a known security note from the previous release of May concerning CVE-2024-32733. This time, only the validity information has been changed so make sure to double-check its relevance for your landscape.
For all the above notes, patching is required, there is no workaround available.
Denial-of-Service (DoS)
A Denial-of-Service (DoS) attack attempts to achieve quite exactly what the name indicates: to make the target incapable of delivering its service. In other words: try to overload so it is no longer available.
- Note 3460407: describes a DoS vulnerability on SAP AS Java: CVE-2024-34688.
- Note 3453170: describes a DoS vulnerability on SAP NetWeaver and ABAP platform: CVE-2024-33001. This issue can only appear when there are no authorization checks for RFC’s are disabled. Consider the workaround from the note as a temporary solution.
Unrestricted file uploads
We have seen multiple vulnerabilities in this area recently. Secure handling of files remains an important topic from a security point of view. This time, note 3459379 describes such a potential issue with the SAP Document Builder service: CVE-2024-34683. Patch your system to fix this issue permanently or consider creating a virus profile yourself for the relevant MIME types as a workaround. See the note for more details on this.
Authorization checks
Missing authorization checks are – again – a common vulnerability type of which we have seen multiple examples recently. This month, we see 4 notes in this area, ranging from a CVSS 3.9 to 6.5:
- Note 3466175: missing authorization check in S/4 HANA for incoming payment files: CVE-2024-34691.
- Note 3465455: missing authorization check in SAP BW/4HANA Transformation and DTP: CVE-2024-37176. Keep in mind the restriction after applying the note and the manual instruction required.
- Note 3457265: missing authorization check in SAP Student Life Cycle Management (SLcM): CVE-2024-34690.
- Note 2638217: this note already originated in 2018 and has now been updated with new correction instructions. It describes the switchable authorization checks for Central Finance. Take note of the checks mentioned here and double-check relevance for your SAP landscape. See also note 2608312.
Information Disclosure
Last but not least, we see 2 notes in the area of Information Disclosure, which is about unwanted access to sensitive data in the broad sense of the word.
- Note 3425571: describes potential access to server information on SAP AS Java: CVE-2024-28164. Apart from patching, there is a workaround available -see the note for the details.
- Note 3441817: describes how an authenticated attacker can gain user credentials allowing access to remote server files: CVE-2024-34684. Patching of the system is required.
SAP Security Notes June 2024Highlights
A moderate list of security notes without HotNews.
Summary by Severity
The June release contains a total of 12 patches for the following severities:
| Severity | Number | Hot News | 0 |
|---|---|
High | 2 |
Medium | 8 |
Low | 2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3457592 | [CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation Priority: Correction with high priority Released on: 11.06.2024 Components: EPM-BFC-TCL Category: Program error | High | 8.1 |
| 3460407 | [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) Priority: Correction with high priority Released on: 11.06.2024 Components: BC-DWB-JAV-MMR Category: Program error | High | 7.5 |
| 3459379 | [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) Priority: Correction with medium priority Released on: 11.06.2024 Components: CA-GTF-DOB Category: Program error | Medium | 6.5 |
| 3453170 | [CVE-2024-33001] Denial of service (DOS) in SAP NetWeaver and ABAP platform Priority: Correction with medium priority Released on: 11.06.2024 Components: SV-SMG-SDD Category: Program error | Medium | 6.5 |
| 3466175 | [CVE-2024-34691] Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files) Priority: Correction with medium priority Released on: 11.06.2024 Components: FI-FIO-AR-PAY Category: Program error | Medium | 6.5 |
| 3465129 | [CVE-2024-34686] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) Priority: Correction with medium priority Released on: 11.06.2024 Components: CA-WUI-UI Category: Program error | Medium | 6.1 |
| 3450286 | [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 14.05.2024 Components: BC-MID-AC Category: Program error | Medium | 6.1 |
| 3465455 | [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP Priority: Correction with medium priority Released on: 11.06.2024 Components: BW4-DM-TRFN Category: Program error | Medium | 5.5 |
| 3457265 | [CVE-2024-34690] Missing Authorization check in SAP Student Life Cycle Management (SLcM) Priority: Correction with medium priority Released on: 11.06.2024 Components: IS-HER-CM-AD Category: Program error | Medium | 5.4 |
| 3425571 | [CVE-2024-28164] Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures) Priority: Correction with medium priority Released on: 11.06.2024 Components: BC-GP Category: Program error | Medium | 5.3 |
| 2638217 | Switchable Authorization Checks in Central Finance Infrastructure Components Priority: Correction with low priority Released on: 13.06.2018 Components: FI-CF-INF Category: Program error | Low | 3.9 |
| 3441817 | [CVE-2024-34684] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling) Priority: Correction with low priority Released on: 11.06.2024 Components: BI-BIP-PUB Category: Program error | Low | 3.7 |
