Skip to content

SAP Security Patch Day – May 2024

ebde76d0d55c1a42c8ff2d0159c52217?s=96&d=mm&r=g
Gert-Jan Koster
SAP Security specialist
May 14, 2024
5 min read
Chapters

Share Article

SAP Security Patch Tuesday 2024

Looking at the fifth SAP Security Patch Day of the year, the imperative for maintaining robust security measures remains paramount. Once again, SAP has released a series of security patches, prompting a closer examination of the key highlights. This time, the update comprises a set of 15 notes. In today’s digital landscape, it’s a narrative we’re all too familiar with – headlines dominated by reports of data breaches, ransomware attacks, and other cyber threats that loom over organizations. Frequently, these incidents share a common vulnerability: unpatched systems, which represent a significant chink in the armor against such threats.

These recurring headlines underscore the indispensable nature of patch management in IT security. It’s a responsibility that organizations cannot afford to delay or neglect. The consequences of overlooking this vital component of security infrastructure are evident from numerous high-profile real-world examples.

At SecurityBridge, we understand the crucial importance of patch management and the challenges it poses for organizations. That’s why our Patch Management solution is designed to assist, offering invaluable insights into existing patching gaps within SAP landscapes. Moreover, it enables organizations to assess the potential impacts of specific patches proactively, providing a comprehensive overview of patching status across the entire landscape, even before implementation.

SAP Security Patches May 2024

For May 2024, 13 new Security Notes have been released and 2 have been updated. We will first go into the ‘HotNews’ notes and highlight other key points below. 

HotNews

In this release, 2 notes have ‘HotNews’ priority which refers to the CVSS score being 9.0 or higher. SAP note 3455438 is about SAP CX Commerce and actually bundles 2 vulnerabilities: CVE-2019-17495 and CVE-2022-36364. Interestingly, these CVE’s are pretty old and looking at the note, they got introduced in SAP CX Commerce via the use of other libraries. In this case Swagger UI and Apache Calcite Avatica. Solving the vulnerability is done simply by patching the HY_COM component. But it goes to show how easily known vulnerabilities can find their way back in…

In our April blog post, we briefly discussed the importance of secure file integration and the risk of not doing this properly. In this months release, we again have a ‘nice’ example of such a vulnerability. SAP note 3448171 describes how a malicious file can be uploaded to the SAP Content Server which can cause serious damage when the file is accessed at a later stage. The default settings have been changed by SAP in the provided fixes. However: note that the fix is only relevant for new installations but for existing installations, the described corrections need to be done manually. So take action here for these repositories!

Cross Site Scripting (XSS) vulnerabilities

Cross Site Scripting (XSS) attacks are a common type of attack where malicious scripts are injected that compromise the interaction between users and a web application. There are many examples around and also this month, there are 4 more for various SAP applications: SAP note 343179434484453460772 and 3450286. These range from priority ‘High’ to ‘Medium’. There are no workarounds here, simply patch the relevant components!

Notes with ‘Medium’ to ‘Low’ priority

SAP note 3446076 describes a vulnerability of the ‘PDFViewer’ that is a part of SAPUI5. A script may get executed within a PDF that causes a potential threat. This client-side script execution can be further controlled with the newly introduced property ‘isTrustedSource’. The property may have an affect on the user experience as well. Review where relevant.

The other notes of this months release have a ‘Medium’ to ‘Low’ priority and concern vulnerabilities like missing authorization checks, potential information disclosures and SQL injections. The main message is simple: take all these vulnerabilites seriously and patch! 

SAP Security Notes May 2024

Highlights

HotNews and XSS vulnerabilites.

Summary by Severity

The May release contains a total of 15 patches for the following severities:

SeverityNumber
Hot News
2
High
1
Medium
10
Low
2
NoteDescriptionSeverityCVSS
3455438[CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce
Priority: HotNews
Released on: 14.05.2024
Components: CEC-SCC-PLA-PL
Category: Program error
Hot News9.8
3448171[CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: HotNews
Released on: 14.05.2024
Components: BC-SRV-KPR-CMS
Category: Program error
Hot News9.6
3431794[CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform
Priority: Correction with high priority
Released on: 14.05.2024
Components: BI-BIP-INV
Category: Program error
High8.1
3448445[CVE-2024-34687] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.05.2024
Components: BC-SRV-GBT-GOS
Category: Program error
Medium6.5
3460772[CVE-2024-33002] Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS)
Priority: Correction with medium priority
Released on: 14.05.2024
Components: BC-EIM-ESH
Category: Program error
Medium6.1
3450286[CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.05.2024
Components: BC-MID-AC
Category: Program error
Medium6.1
3447467[CVE-2024-32731] Missing Authorization check in SAP My Travel Requests
Priority: Correction with medium priority
Released on: 14.05.2024
Components: FI-TV-ODT-MTR
Category: Program error
Medium5.5
2745860Information Disclosure in Enterprise Services Repository of SAP Process Integration
Priority: Correction with medium priority
Released on: 11.05.2021
Components: BC-XI-IBD-INF
Category: Program error
Medium5.3
3349468[CVE-2024-33008] Memory Corruption vulnerability in SAP Replication Server
Priority: Correction with medium priority
Released on: 14.05.2024
Components: BC-SYB-REP
Category: Program error
Medium4.9
3449093[CVE-2024-33004] Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices)
Priority: Correction with medium priority
Released on: 14.05.2024
Components: BI-BIP-INV
Category: Program error
Medium4.3
3434666[Multiple CVEs] Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)
Priority: Correction with medium priority
Released on: 14.05.2024
Components: FI-FIO-AR-PAY
Category: Program error
Medium4.3
2174651Potential information disclosure relating to PI Integration Directory
Priority: Correction with medium priority
Released on: 07.12.2017
Components: BC-XI-IBC
Category: Program error
Medium4.3
1938764[CVE-2024-33009] SQL injection vulnerability in SAP Global Label Management (GLM)
Priority: Correction with medium priority
Released on: 14.05.2024
Components: EHS-SAF-GLM
Category: Program error
Medium4.2
3446076[CVE-2024-33007] Client-side script execution vulnerability in SAP UI5(PDFViewer)
Priority: Correction with low priority
Released on: 14.05.2024
Components: CA-UI5-SC
Category: Program error
Low3.5
3392049[CVE-2024-33000] Missing Authorization check in SAP Bank Account Management
Priority: Correction with low priority
Released on: 14.05.2024
Components: FIN-FSCM-CLM-BAM
Category: Program error
Low3.5