May 14, 2024

SAP Security Patch Day – May 2024

Posted by

Gert-Jan Koster

Find recent Security Advisories for SAP©

Looking at the fifth SAP Security Patch Day of the year, the imperative for maintaining robust security measures remains paramount. Once again, SAP has released a series of security patches, prompting a closer examination of the key highlights. This time, the update comprises a set of 15 notes. In today’s digital landscape, it’s a narrative we’re all too familiar with – headlines dominated by reports of data breaches, ransomware attacks, and other cyber threats that loom over organizations. Frequently, these incidents share a common vulnerability: unpatched systems, which represent a significant chink in the armor against such threats.

These recurring headlines underscore the indispensable nature of patch management in IT security. It’s a responsibility that organizations cannot afford to delay or neglect. The consequences of overlooking this vital component of security infrastructure are evident from numerous high-profile real-world examples.

At SecurityBridge, we understand the crucial importance of patch management and the challenges it poses for organizations. That’s why our Patch Management solution is designed to assist, offering invaluable insights into existing patching gaps within SAP landscapes. Moreover, it enables organizations to assess the potential impacts of specific patches proactively, providing a comprehensive overview of patching status across the entire landscape, even before implementation.

SAP Security Patches May 2024

For May 2024, 13 new Security Notes have been released and 2 have been updated. We will first go into the ‘HotNews’ notes and highlight other key points below.

HotNews

In this release, 2 notes have ‘HotNews’ priority which refers to the CVSS score being 9.0 or higher. SAP note 3455438 is about SAP CX Commerce and actually bundles 2 vulnerabilities: CVE-2019-17495 and CVE-2022-36364. Interestingly, these CVE’s are pretty old and looking at the note, they got introduced in SAP CX Commerce via the use of other libraries. In this case Swagger UI and Apache Calcite Avatica. Solving the vulnerability is done simply by patching the HY_COM component. But it goes to show how easily known vulnerabilities can find their way back in…

In our April blog post, we briefly discussed the importance of secure file integration and the risk of not doing this properly. In this months release, we again have a ‘nice’ example of such a vulnerability. SAP note 3448171 describes how a malicious file can be uploaded to the SAP Content Server which can cause serious damage when the file is accessed at a later stage. The default settings have been changed by SAP in the provided fixes. However: note that the fix is only relevant for new installations but for existing installations, the described corrections need to be done manually. So take action here for these repositories!

Cross Site Scripting (XSS) vulnerabilities

Cross Site Scripting (XSS) attacks are a common type of attack where malicious scripts are injected that compromise the interaction between users and a web application. There are many examples around and also this month, there are 4 more for various SAP applications: SAP note 3431794, 3448445, 3460772 and 3450286. These range from priority ‘High’ to ‘Medium’. There are no workarounds here, simply patch the relevant components!

Notes with 'Medium' to 'Low' priority

SAP note 3446076 describes a vulnerability of the ‘PDFViewer’ that is a part of SAPUI5. A script may get executed within a PDF that causes a potential threat. This client-side script execution can be further controlled with the newly introduced property ‘isTrustedSource’. The property may have an affect on the user experience as well. Review where relevant.

The other notes of this months release have a ‘Medium’ to ‘Low’ priority and concern vulnerabilities like missing authorization checks, potential information disclosures and SQL injections. The main message is simple: take all these vulnerabilites seriously and patch!

SAP Security Notes May 2024

Highlights

HotNews and XSS vulnerabilites.

Summary by Severity

The May release contains a total of 15 patches for the following severities:

Severity	Number
Hot News	2
High	1
Medium	10
Low	2

Note	Description	Severity	CVSS
3455438	[CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce Priority: HotNews Released on: 14.05.2024 Components: CEC-SCC-PLA-PL Category: Program error	Hot News	9.8
3448171	[CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: HotNews Released on: 14.05.2024 Components: BC-SRV-KPR-CMS Category: Program error	Hot News	9.6
3431794	[CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform Priority: Correction with high priority Released on: 14.05.2024 Components: BI-BIP-INV Category: Program error	High	8.1
3448445	[CVE-2024-34687] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 14.05.2024 Components: BC-SRV-GBT-GOS Category: Program error	Medium	6.5
3460772	[CVE-2024-33002] Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS) Priority: Correction with medium priority Released on: 14.05.2024 Components: BC-EIM-ESH Category: Program error	Medium	6.1
3450286	[CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 14.05.2024 Components: BC-MID-AC Category: Program error	Medium	6.1
3447467	[CVE-2024-32731] Missing Authorization check in SAP My Travel Requests Priority: Correction with medium priority Released on: 14.05.2024 Components: FI-TV-ODT-MTR Category: Program error	Medium	5.5
2745860	Information Disclosure in Enterprise Services Repository of SAP Process Integration Priority: Correction with medium priority Released on: 11.05.2021 Components: BC-XI-IBD-INF Category: Program error	Medium	5.3
3349468	[CVE-2024-33008] Memory Corruption vulnerability in SAP Replication Server Priority: Correction with medium priority Released on: 14.05.2024 Components: BC-SYB-REP Category: Program error	Medium	4.9
3449093	[CVE-2024-33004] Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices) Priority: Correction with medium priority Released on: 14.05.2024 Components: BI-BIP-INV Category: Program error	Medium	4.3
3434666	[Multiple CVEs] Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules) Priority: Correction with medium priority Released on: 14.05.2024 Components: FI-FIO-AR-PAY Category: Program error	Medium	4.3
2174651	Potential information disclosure relating to PI Integration Directory Priority: Correction with medium priority Released on: 07.12.2017 Components: BC-XI-IBC Category: Program error	Medium	4.3
1938764	[CVE-2024-33009] SQL injection vulnerability in SAP Global Label Management (GLM) Priority: Correction with medium priority Released on: 14.05.2024 Components: EHS-SAF-GLM Category: Program error	Medium	4.2
3446076	[CVE-2024-33007] Client-side script execution vulnerability in SAP UI5(PDFViewer) Priority: Correction with low priority Released on: 14.05.2024 Components: CA-UI5-SC Category: Program error	Low	3.5
3392049	[CVE-2024-33000] Missing Authorization check in SAP Bank Account Management Priority: Correction with low priority Released on: 14.05.2024 Components: FIN-FSCM-CLM-BAM Category: Program error	Low	3.5