SAP Security Patch Day – March 2024
Chapters
Share Article
We find ourselves already at the doorstep of the third SAP Security Patch Day of the year! Once again, SAP has rolled out a batch of security patches, and as always, we’re here to delve into the highlights. It’s a common narrative in today’s digital landscape – headlines with tales of data breaches, ransomware attacks, and other cyber assaults that put organizations at risk. More often than not, the common thread linking these incidents is the presence of unpatched systems, serving as the Achilles’ heel in the defense against such threats.
These recurring headlines serve as a reminder of the imperative nature of patch management in IT security. It’s a task that organizations cannot afford to delay or ignore. The negative repercussions of neglecting this vital aspect of security infrastructure are abundantly clear, demonstrated time and again by dramatic real-world examples.
At SecurityBridge, we highly value the critical role of patch management and understand the intricate challenges it poses for organizations. Our Patch Management solution acts as a guiding light in this matter, offering invaluable insights into the patching gaps prevalent across SAP landscapes. Moreover, it enables organizations to assess the potential impact of specific patches, even before their deployment, presenting a comprehensive, landscape-wide overview of the patching status.
SAP Security Patches March 2024
For March 2024, 10 new Security Notes have been released and 2 have been updated. Let’s look at some highlights, starting with the ‘HotNews’ notes.
HotNews
This month concerns 2 new HotNews notes. Note 2622660 has been updated for Google Chromium and SAP Business Client. This note gets updated regularly and this time it concerns an update with CVSS 9.8 for which public exploits are available. Review closely when applicable for your landscape!
Note 3425274 is newly released and describes a vulnerability when using the SAP Build platform. Interestingly, the actual vulnerability dates back to 2019… Make sure to rebuild your apps with version 4.9.145 or higher as stated by the note! Related CVSS is 9.4.
A common component of an SAP Java system is the ‘Log Viewer’ for reviewing logs and further analysis. Many administrators will know this functionality. What is perhaps less known, is that a custom log file can also be uploaded to the application. Note 3433192 describes a vulnerability that is caused by improper validation of these files, which could have a severe impact on the confidentiality, integrity, and availability of the application (CVSS 9.1). Make sure to apply the relevant patches or the mentioned workaround!
CVE-2023-44487 – HTTP/2 Rapid Reset Attack
Now and then, a vulnerability comes to light that has a potential impact on many components. The same goes for the so-called ‘HTTP/2 Rapid Reset Attack’ cataloged under ‘CVE-2023-44487’. Those who keep a close eye on vulnerabilities and SAP Security patches in particular, may have noticed this vulnerability from 2023 and January earlier this year. See SAP notes 3390068 and 3389917. Exploitation may lead to a denial of service of the component concerned. The Internet Communication Manager (ICM) and SAP Web Dispatcher are examples of affected SAP components. Solutions that use these components may also impacted, like SAP HANA XS Classic and Advanced. SAP note 3410615 has been released this month to address these products specifically for this vulnerability.
Security notes with ‘High’ to ‘Medium’ priority
Most vulnerabilities only require patching of the concerned software component. Below we share some additional remarks concerning the other released security notes for February 2024:
SAP Security Notes March 2024
Highlights
For March 2024, 10 new Security Notes have been released and 2 have been updated.
Summary by Severity
The March release contains a total of 12 patches for the following severities:
| Severity | Number | Hot News | 3 |
|---|---|
High | 3 |
Medium | 6 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client Priority: HotNews Released on: 10.04.2018 Components: BC-FES-BUS-DSK Category: Program error | Hot News | 10.0 |
| 3425274 | [CVE-2019-10744] Code Injection vulnerability in applications built with SAP Build Apps Priority: HotNews Released on: 12.03.2024 Components: CA-LCA-ACP Category: Program error | Hot News | 9.4 |
| 3433192 | [CVE-2024-22127] Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in) Priority: HotNews Released on: 12.03.2024 Components: BC-JAS-ADM-LOG Category: Program error | Hot News | 9.1 |
| 3346500 | [CVE-2023-39439] Improper authentication in SAP Commerce Cloud Priority: Correction with high priority Released on: 08.08.2023 Components: CEC-SCC-PLA-PL Category: Program error | High | 8.8 |
| 3410615 | [CVE-2023-44487 ] Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced Priority: Correction with high priority Released on: 12.03.2024 Components: HAN-AS-XS Category: Program error | High | 7.5 |
| 3414195 | [CVE-2023-50164] Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console) Priority: Correction with high priority Released on: 12.03.2024 Components: BI-BIP-CMC Category: Program error | High | 7.2 |
| 3377979 | [CVE-2024-27902] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP, applications based on SAPGUI for HTML (WebGUI) Priority: Correction with medium priority Released on: 12.03.2024 Components: BC-FES-WGU Category: Program error | Medium | 5.4 |
| 3434192 | [CVE-2024-28163] Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages) Priority: Correction with medium priority Released on: 12.03.2024 Components: BC-XI-IBF-UI Category: Program error | Medium | 5.3 |
| 3425682 | [CVE-2024-25644] Information Disclosure vulnerability in SAP NetWeaver (WSRM) Priority: Correction with medium priority Released on: 12.03.2024 Components: BC-ESI-WS-JAV-RT Category: Program error | Medium | 5.3 |
| 3428847 | [CVE-2024-25645] Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal) Priority: Correction with medium priority Released on: 12.03.2024 Components: EP-PIN-APF-OPR Category: Program error | Medium | 5.3 |
| 3417399 | [CVE-2024-22133] Improper Access Control in SAP Fiori Front End Server Priority: Correction with medium priority Released on: 12.03.2024 Components: PA-FIO-LEA Category: Program error | Medium | 4.6 |
| 3419022 | [CVE-2024-27900]Missing Authorization check in SAP ABAP Platform Priority: Correction with medium priority Released on: 12.03.2024 Components: BC-SRV-APS-APJ Category: Program error | Medium | 4.3 |
